Equivalent of Apache's SetEnv Variable

Ed W lists at wildgooses.com
Thu Aug 5 01:44:51 MSD 2010

  On 04/08/2010 01:21, Michael Shadle wrote:
> What I've realized over the couple years I've been using nginx is that
> most people overengineer their configuration. I hardly ever need more
> than a few lines of special sauce for anything I've ran in nginx. Of
> course, I'm a minimalist.

However, all the default configs that I have seen for PHP setups on the 
wiki, etc, seem insecure to my mind.  They nearly all point *all* files 
named xx.php to be processed by the your php interpreter.  Coupled with 
nearly all non trivial applications having some "upload" feature this 
allows a gaping potential issue to upload arbitrary files named xx.php 
and you are allowing arbitrary code to be uploaded...

I setup my machines to only point files in limited directories to be 
processed by the php interpreter. Coupled with specific handling of any 
upload/temp/template/public directories or anywhere else that might 
accidently contain something it shouldn't..

See, just checked the wiki.  Surely this example allows you to 
immediately upload a new file with a .php suffix and exploit the server?
Does Drupal allow uploads?  If so then good luck...
Surely Dokuwiki allows uploads?

Make your config secure!  Don't just trust the upload function parsing 
and allowing only certain filename patterns!

Good luck

Ed W

More information about the nginx mailing list