Equivalent of Apache's SetEnv Variable
Grzegorz Nosek
grzegorz.nosek at gmail.com
Thu Aug 5 11:17:17 MSD 2010
On śro, sie 04, 2010 at 02:48:07 -0700, Michael Shadle wrote:
> Someone just posted this on my blog:
>
> location ~ \.php$ {
> ....
> try_files $uri =404;
> ...
> }
>
> exploit http://site.ru/images/as5df3.jpeg/.php
>
> might be an interesting approach, haven't tried it yet. would this add
> an additional stat call or two though for every PHP request, Igor?
While we're at it, I had an experimental patch some time ago that
provided location mapping based on file extensions instead of URIs which
would prevent the above exploit.
The config looked like:
types {
# ...
application/x-httpd-php php;
}
location / {
root /the/document/root;
}
location @application/x-httpd-php {
fastcgi_pass ...; # etc.
}
It never went to production but I guess I could refresh and post it if
there's some interest in it and it has a chance of being accepted
upstream (guarded with some config option, of course).
Best regards,
Grzegorz Nosek
More information about the nginx
mailing list