Passing Uncontrolled Requests to PHP

Grant emailgrant at
Thu Feb 13 16:44:34 UTC 2014

Does the wiki example mitigate the "Passing Uncontrolled Requests to PHP" risk?

        location ~ [^/]\.php(/|$) {
                fastcgi_split_path_info ^(.+?\.php)(/.*)$;
                if (!-f $document_root$fastcgi_script_name) {
                        return 404;

                fastcgi_index index.php;
                include fastcgi_params;

If not, I'd like to update it.

- Grant

More information about the nginx mailing list