Possible widespread PHP configuration issue - security risk

Boris Dolgov boris at dolgov.name
Fri Aug 27 21:20:13 MSD 2010

On Fri, Aug 27, 2010 at 9:17 PM, brianmercer <nginx-forum at nginx.us> wrote:
> As you say, your web app should have a plan for mitigating the dangers
> of user uploads.  Drupal puts an .htaccess file in the upload directory
> which changes the apache file handler.  Of course, that does nothing
> with nginx and so you want something like
> location ~ .*/files/.* {
>  try_files $uri =404 # or index.php?q=$uri or @drupal depending on your
> config
> }
> located before your location ~ .php so you get a match on the files
> directory and you don't execute malicious .php.  Or something more
> restrictive when it comes to .php files like specifying the permitted
> executable files explicitly. see
> http://test.brianmercer.com/content/nginx-configuration-drupal
By the way, you can just write:
location ^~ /files/
    try_files ...;
And if the request matches this location, no regular expressions
locations will be tried.

Boris Dolgov.

More information about the nginx mailing list