Equivalent of Apache's SetEnv Variable
Jim Ohlstein
jim at ohlste.in
Fri Aug 27 06:20:50 MSD 2010
On 8/26/10 7:07 AM, Ed W wrote:
> No one seems quite as excited about this as I feel? What am I missing?
What you say is true, that such a file would be parsed as PHP if
requested in that manner but it needs to be uploaded successfully first.
Most modern PHP based galleries will not upload a file ending with
".jpg" unless it actually is a JPEG. Same with a file misidentified as a
PNG. Try it with a phpinfo script. It won't upload into apps like
vBulletin or IPB. I can't speak for a lot of others since I haven't
tested them.
If an app does upload a misidentified file so easily, then the onus is
on the webmaster to configure nginx correctly or, more simply, to not
use the app or to not allow uploads from untrusted sources. The method
proposed by Mike will work fine for such insecure apps, but the real fix
is to fix the app.
The "try_files" approach will be much more efficient than any "if" will
be if you insist on using an insecure app.
--
Jim Ohlstein
More information about the nginx
mailing list