FastCGI security question

Jérôme Loyet jerome at loyet.net
Fri Apr 23 10:42:19 MSD 2010


Hi guys,

I'm working on php-fpm and I had an idea for a new feature.

I'd like to pass fastcgi headers to php-fpm which will set some PHP
ini defines. It's the same as php_value or php_admin_value from the
php apache module. I imagine something like:

fastcgi_param PHP_INI_VALUE "display_errors=off";
fastcgi_param PHP_ADMIN_INI_VALUE "open_basedir=/var/www:/tmp";

Even if it sounds great, I wonder if it could be a security breach
somehow. Is there a way a request can overwrite those parameters by
forging a particular request ?

thx for your advices

++ Jerome



More information about the nginx mailing list