Equivalent of Apache's SetEnv Variable
Igor Sysoev
igor at sysoev.ru
Thu Aug 5 12:19:22 MSD 2010
On Thu, Aug 05, 2010 at 10:11:29AM +0200, Grzegorz Nosek wrote:
> On Thu, Aug 05, 2010 at 12:09:33PM +0400, Igor Sysoev wrote:
> > What's about when "/dir/1.gif/2.php" is proxied to remote server ?
> > nginx has no access to a filesystem of the file.
>
> It doesn't go via the static module then and the patch won't do
> anything.
The issue is that someone is able to upload a image file to a directory
with scripts (I do not know why he is not able to override some valid
images or even the scripts themself in this case). Then someone requests
the image file as "/dir/1.gif/2.php" making exploit. I do not see
how using types will help in a case when nginx ahs not access to remote
filesystem.
--
Igor Sysoev
http://sysoev.ru/en/
More information about the nginx
mailing list