fastcgi & index
Maxim Dounin
mdounin at mdounin.ru
Thu Feb 13 14:14:11 UTC 2014
Hello!
On Thu, Feb 13, 2014 at 02:47:35PM +0100, António P. P. Almeida wrote:
> No I mean the \.php regex based one.
So now you probably know why top-posting is discouraged. ;)
> It's just that it opens the door to a lot of problems by allowing all .php
> scripts to be
> processed.
>
> Furthermore it's even mentioned on the wiki Pitfalls page:
> http://wiki.nginx.org/Pitfalls#Passing_Uncontrolled_Requests_to_PHP
Trivial and correct fix for the problem mentioned on the wiki is
to properly configure php, with cgi.fix_pathinfo=0.
I would also recommend not allowing php at all under the locations
where you allow untrusted parties to put files - or, rather, only
allow php under locations where are untrusted parties are not
allowed to put files, by properly isolating \.php$ location.
But again, there is nothing wrong with the configuration per se.
--
Maxim Dounin
http://nginx.org/
More information about the nginx
mailing list