Equivalent of Apache's SetEnv Variable

Jim Ohlstein jim at ohlste.in
Fri Aug 27 06:20:50 MSD 2010

On 8/26/10 7:07 AM, Ed W wrote:

> No one seems quite as excited about this as I feel? What am I missing?

What you say is true, that such a file would be parsed as PHP if 
requested in that manner but it needs to be uploaded successfully first. 
Most modern PHP based galleries will not upload a file ending with 
".jpg" unless it actually is a JPEG. Same with a file misidentified as a 
PNG. Try it with a phpinfo script. It won't upload into apps like 
vBulletin or IPB. I can't speak for a lot of others since I haven't 
tested them.

If an app does upload a misidentified file so easily, then the onus is 
on the webmaster to configure nginx correctly or, more simply, to not 
use the app or to not allow uploads from untrusted sources. The method 
proposed by Mike will work fine for such insecure apps, but the real fix 
is to fix the app.

The "try_files" approach will be much more efficient than any "if" will 
be if you insist on using an insecure app.

Jim Ohlstein

More information about the nginx mailing list