<div dir="ltr"><div><div><div>No I mean the \.php regex based one.<br><br></div>It's just that it opens the door to a lot of problems by allowing all .php scripts to be <br></div>processed.<br><br></div><div>Furthermore it's even mentioned on the wiki Pitfalls page: <br>
</div><div><a href="http://wiki.nginx.org/Pitfalls#Passing_Uncontrolled_Requests_to_PHP">http://wiki.nginx.org/Pitfalls#Passing_Uncontrolled_Requests_to_PHP</a><br><br></div></div><div class="gmail_extra"><br clear="all">
<div>----appa<br><br></div>
<br><br><div class="gmail_quote">On Thu, Feb 13, 2014 at 2:29 PM, Maxim Dounin <span dir="ltr"><<a href="mailto:mdounin@mdounin.ru" target="_blank">mdounin@mdounin.ru</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Hello!<br>
<div class=""><br>
On Thu, Feb 13, 2014 at 02:09:34PM +0100, António P. P. Almeida wrote:<br>
<br>
> This type of configuration is insecure since there's no whitelisting of the<br>
> PHP scripts to be processed.<br>
<br>
</div>You mean "location / { fastcgi_pass ... }"? This type of<br>
configuration assumes that any files under "/" are php scripts,<br>
and it's ok to execute them.<br>
<br>
Obviously it won't be secure if you allow utrusted parties to put<br>
files there. But the problem is what you allow, not the<br>
configuration per se.<br>
<div class="HOEnZb"><div class="h5"><br>
--<br>
Maxim Dounin<br>
<a href="http://nginx.org/" target="_blank">http://nginx.org/</a><br>
<br>
_______________________________________________<br>
nginx mailing list<br>
<a href="mailto:nginx@nginx.org">nginx@nginx.org</a><br>
<a href="http://mailman.nginx.org/mailman/listinfo/nginx" target="_blank">http://mailman.nginx.org/mailman/listinfo/nginx</a></div></div></blockquote></div><br></div>