Confusion over apparently conflicting advice in guide/wiki/examples

talkingnews nginx-forum at nginx.us
Tue Mar 4 20:51:36 UTC 2014 

Hi BR and thank you for your reply. You said:

> Where does the 'sites-available' directory of nginx came from?

Standard "apt-get install nginx" on Ubunutu. Stable and mainline.
Like Apache, 'sites-available' contains all sites, then you can symlink to
'sites-enabled' for running sites.
It's just the Ubuntu way :)

> There is no such DOCUMENT_URI server variable in PHP 
> The nginx wiki has not the reputation of being a trustable source

I know you say not to trust the wiki (it appears in
http://wiki.nginx.org/PHPFcgiExample) but it also is in the standard install
of nginx on ubuntu which comes with an /etc/nginx/fastcgi_params file
containing 
fastcgi_param   DOCUMENT_URI            $document_uri;

Perhaps it should not even be there? Should I report it as a possible error
to the Ubuntu package maintainers?

> The '0' value seems to exist for backward-compatibility as it provides a
broken environment.
> Thus, scripts relying on such a value are highly suspicious to my eyes.
> What exactly are you referring to in the pitfalls page saying that you
setup is dangerous?​

Well, in your reply you say that it provides a broken environment, but as I
mentioned, in both the nginx wiki AND in the default config file which comes
with a standard nginx install on Ubuntu, it says 
# NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini

So, you can understand my confusion here! PHP says leave it on. You say
leave it on. Nginx stand install and wiki says turn it off so that nginx
doesn't keep trying files. The pitfalls page says:

------------------------
"For instance, if a request is made for /forum/avatar/1232.jpg/file.php
which does not exist but if /forum/avatar/1232.jpg does, the PHP interpreter
will process /forum/avatar/1232.jpg instead. If this contains embedded PHP
code, this code will be executed accordingly.
Options for avoiding this are:
Set cgi.fix_pathinfo=0 in php.ini. This causes the PHP interpreter to only
try the literal path given and to stop processing if the file is not
found."
------------------------

So what I meant was that setting cgi.fix_pathinfo = 1 may leave this
security gap of executing unwanted code.

Posted at Nginx Forum: http://forum.nginx.org/read.php?2,248051,248110#msg-248110

More information about the nginx mailing list