Equivalent of Apache's SetEnv Variable
Igor Sysoev
igor at sysoev.ru
Thu Aug 5 10:38:20 MSD 2010
On Wed, Aug 04, 2010 at 02:48:07PM -0700, Michael Shadle wrote:
> On Wed, Aug 4, 2010 at 2:44 PM, Ed W <lists at wildgooses.com> wrote:
>
> > However, all the default configs that I have seen for PHP setups on the
> > wiki, etc, seem insecure to my mind. They nearly all point *all* files
> > named xx.php to be processed by the your php interpreter. Coupled with
> > nearly all non trivial applications having some "upload" feature this allows
> > a gaping potential issue to upload arbitrary files named xx.php and you are
> > allowing arbitrary code to be uploaded...
>
> Someone just posted this on my blog:
>
> location ~ \.php$ {
> ....
> try_files $uri =404;
> ...
> }
>
> exploit http://site.ru/images/as5df3.jpeg/.php
>
> might be an interesting approach, haven't tried it yet. would this add
> an additional stat call or two though for every PHP request, Igor?
Yes, it adds a stat() syscall, however, it can be eliminated with
open_file_cache. Note also, that it works only if nginx and php are
on the same host.
--
Igor Sysoev
http://sysoev.ru/en/
More information about the nginx
mailing list