Equivalent of Apache's SetEnv Variable
Igor Sysoev
igor at sysoev.ru
Thu Aug 5 11:29:55 MSD 2010
On Thu, Aug 05, 2010 at 09:17:17AM +0200, Grzegorz Nosek wrote:
> On śro, sie 04, 2010 at 02:48:07 -0700, Michael Shadle wrote:
> > Someone just posted this on my blog:
> >
> > location ~ \.php$ {
> > ....
> > try_files $uri =404;
> > ...
> > }
> >
> > exploit http://site.ru/images/as5df3.jpeg/.php
> >
> > might be an interesting approach, haven't tried it yet. would this add
> > an additional stat call or two though for every PHP request, Igor?
>
> While we're at it, I had an experimental patch some time ago that
> provided location mapping based on file extensions instead of URIs which
> would prevent the above exploit.
>
> The config looked like:
>
> types {
> # ...
> application/x-httpd-php php;
> }
>
> location / {
> root /the/document/root;
> }
>
> location @application/x-httpd-php {
> fastcgi_pass ...; # etc.
> }
>
>
> It never went to production but I guess I could refresh and post it if
> there's some interest in it and it has a chance of being accepted
> upstream (guarded with some config option, of course).
How may this prevent from the exploit if a requested file is
"/dir/1.gif/2.php" ? As I understand the file will have
"application/x-httpd-php" type ?
--
Igor Sysoev
http://sysoev.ru/en/
More information about the nginx
mailing list