Equivalent of Apache's SetEnv Variable

Igor Sysoev igor at sysoev.ru
Thu Aug 5 10:38:20 MSD 2010

On Wed, Aug 04, 2010 at 02:48:07PM -0700, Michael Shadle wrote:

> On Wed, Aug 4, 2010 at 2:44 PM, Ed W <lists at wildgooses.com> wrote:
> > However, all the default configs that I have seen for PHP setups on the
> > wiki, etc, seem insecure to my mind.  They nearly all point *all* files
> > named xx.php to be processed by the your php interpreter.  Coupled with
> > nearly all non trivial applications having some "upload" feature this allows
> > a gaping potential issue to upload arbitrary files named xx.php and you are
> > allowing arbitrary code to be uploaded...
> Someone just posted this on my blog:
> location ~ \.php$ {
> ....
> try_files $uri =404;
> ...
> }
> exploit http://site.ru/images/as5df3.jpeg/.php
> might be an interesting approach, haven't tried it yet. would this add
> an additional stat call or two though for every PHP request, Igor?

Yes, it adds a stat() syscall, however, it can be eliminated with
open_file_cache. Note also, that it works only if nginx and php are
on the same host.

Igor Sysoev

More information about the nginx mailing list