FastCGI security question
Igor Sysoev
igor at sysoev.ru
Fri Apr 23 11:00:31 MSD 2010
On Fri, Apr 23, 2010 at 08:42:19AM +0200, Jérôme Loyet wrote:
> Hi guys,
>
> I'm working on php-fpm and I had an idea for a new feature.
>
> I'd like to pass fastcgi headers to php-fpm which will set some PHP
> ini defines. It's the same as php_value or php_admin_value from the
> php apache module. I imagine something like:
>
> fastcgi_param PHP_INI_VALUE "display_errors=off";
> fastcgi_param PHP_ADMIN_INI_VALUE "open_basedir=/var/www:/tmp";
>
> Even if it sounds great, I wonder if it could be a security breach
> somehow. Is there a way a request can overwrite those parameters by
> forging a particular request ?
No, requests headers are always prefixed with "HTTP_" when they are passed
to FastCGI.
--
Igor Sysoev
http://sysoev.ru/en/
More information about the nginx
mailing list