fastcgi & index

Maxim Dounin mdounin at
Thu Feb 13 13:29:10 UTC 2014


On Thu, Feb 13, 2014 at 02:09:34PM +0100, António P. P. Almeida wrote:

> This type of configuration is insecure since there's no whitelisting of the
> PHP scripts to be processed.

You mean "location / { fastcgi_pass ... }"?  This type of 
configuration assumes that any files under "/" are php scripts, 
and it's ok to execute them.

Obviously it won't be secure if you allow utrusted parties to put 
files there.  But the problem is what you allow, not the 
configuration per se.

Maxim Dounin

More information about the nginx mailing list