authenticated session downloads auth_basic protected php files

zsero nginx-forum at nginx.us
Sat Sep 29 22:52:40 UTC 2012


Hi I'm a nginx newbie, but I think I'm experiencing something seriously
strange. I'm not sure I can reproduce the steps needed, but the thing is
that I ended up nginx downloading protected php files from the site!

Step 1. make a normal site with say one php file
Step 2. make a auth_basic protected folder on it
Step 3. authenticate yourself in Google Chrome (maybe it works in others
too)
Step 4. now modify the config such that a php file what wasn't protected
before is protected now, reload
Step 5. now if you load the new php file in Chrome, instead of asking for
the authenticate dialog, or parsing the file properly, it downloads it! I
mean the pure PHP file with all it's code and plaintext content inside it!

I'm not sure that the above steps are the precise steps required to
reproduce the bug, but I've repeatedly ended up downloading php files from
the server. Closing Chrome and cleaning the cache fixed it.

Posted at Nginx Forum: http://forum.nginx.org/read.php?2,231253,231253#msg-231253



More information about the nginx mailing list