Equivalent of Apache's SetEnv Variable

Michael Shadle mike503 at gmail.com
Thu Aug 5 01:48:07 MSD 2010


On Wed, Aug 4, 2010 at 2:44 PM, Ed W <lists at wildgooses.com> wrote:

> However, all the default configs that I have seen for PHP setups on the
> wiki, etc, seem insecure to my mind.  They nearly all point *all* files
> named xx.php to be processed by the your php interpreter.  Coupled with
> nearly all non trivial applications having some "upload" feature this allows
> a gaping potential issue to upload arbitrary files named xx.php and you are
> allowing arbitrary code to be uploaded...

Someone just posted this on my blog:

location ~ \.php$ {
....
try_files $uri =404;
...
}

exploit http://site.ru/images/as5df3.jpeg/.php

might be an interesting approach, haven't tried it yet. would this add
an additional stat call or two though for every PHP request, Igor?



More information about the nginx mailing list