Equivalent of Apache's SetEnv Variable

Igor Sysoev igor at sysoev.ru
Thu Aug 5 11:29:55 MSD 2010


On Thu, Aug 05, 2010 at 09:17:17AM +0200, Grzegorz Nosek wrote:

> On śro, sie 04, 2010 at 02:48:07 -0700, Michael Shadle wrote:
> > Someone just posted this on my blog:
> > 
> > location ~ \.php$ {
> > ....
> > try_files $uri =404;
> > ...
> > }
> > 
> > exploit http://site.ru/images/as5df3.jpeg/.php
> > 
> > might be an interesting approach, haven't tried it yet. would this add
> > an additional stat call or two though for every PHP request, Igor?
> 
> While we're at it, I had an experimental patch some time ago that
> provided location mapping based on file extensions instead of URIs which
> would prevent the above exploit.
> 
> The config looked like:
> 
> types {
>   # ...
>   application/x-httpd-php php;
> }
> 
> location / {
>   root /the/document/root;
> }
> 
> location @application/x-httpd-php {
>   fastcgi_pass ...; # etc.
> }
> 
> 
> It never went to production but I guess I could refresh and post it if
> there's some interest in it and it has a chance of being accepted
> upstream (guarded with some config option, of course).

How may this prevent from the exploit if a requested file is
"/dir/1.gif/2.php" ? As I understand the file will have
"application/x-httpd-php" type ?


-- 
Igor Sysoev
http://sysoev.ru/en/



More information about the nginx mailing list