<div dir="ltr"><div>No you're just addressing the cgi_fixpathinfo issue. If I manage to upload a file called owned.php <br>I can execute it because you don't whitelist the scripts that can be executed.<br></div></div>
<div class="gmail_extra"><br clear="all"><div>----appa<br><br></div>
<br><br><div class="gmail_quote">On Thu, Feb 13, 2014 at 5:44 PM, Grant <span dir="ltr"><<a href="mailto:emailgrant@gmail.com" target="_blank">emailgrant@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Does the wiki example mitigate the "Passing Uncontrolled Requests to PHP" risk?<br>
<br>
        location ~ [^/]\.php(/|$) {<br>
                fastcgi_split_path_info ^(.+?\.php)(/.*)$;<br>
                if (!-f $document_root$fastcgi_script_name) {<br>
                        return 404;<br>
                }<br>
<br>
                fastcgi_pass <a href="http://127.0.0.1:9000" target="_blank">127.0.0.1:9000</a>;<br>
                fastcgi_index index.php;<br>
                include fastcgi_params;<br>
        }<br>
<br>
<a href="http://wiki.nginx.org/PHPFcgiExample" target="_blank">http://wiki.nginx.org/PHPFcgiExample</a><br>
<br>
<a href="http://wiki.nginx.org/Pitfalls#Passing_Uncontrolled_Requests_to_PHP" target="_blank">http://wiki.nginx.org/Pitfalls#Passing_Uncontrolled_Requests_to_PHP</a><br>
<br>
If not, I'd like to update it.<br>
<br>
- Grant<br>
<br>
_______________________________________________<br>
nginx mailing list<br>
<a href="mailto:nginx@nginx.org">nginx@nginx.org</a><br>
<a href="http://mailman.nginx.org/mailman/listinfo/nginx" target="_blank">http://mailman.nginx.org/mailman/listinfo/nginx</a><br>
</blockquote></div><br></div>