Possible widespread PHP configuration issue - security risk
Maxim Dounin
mdounin at mdounin.ru
Fri Aug 27 21:22:26 MSD 2010
Hello!
On Fri, Aug 27, 2010 at 05:42:38PM +0100, Ed W wrote:
[...]
> Look, heres my best attempt. I think it's poor hence I hope someone
> has a better suggestion:
>
>
> Single script, enable only that single script:
>
> location ~ /blah/script\.php$ {
> include /etc/nginx/fastcgi_params;
> fastcgi_pass localhost:9000;
> }
Use exact match location instead:
location = /blah/script.php {
...
}
> Exclude single dir, everything else executable:
>
> location ~ .*.php$ {
> include /etc/nginx/fastcgi_params;
> if ( $uri !~ "^/images/") {
> fastcgi_pass localhost:9000;
> }
> }
Use normal location instead, with "^~" (don't execute regexp
locations) modifier:
location ^~ /images/ {
# just handle as static, don't consult regexps
}
location ~ \.php$ {
fastcgi_pass ...
}
Or, alternatively (and much more clear, but may have problems
in older nginx versions), use inclusive/nested locations:
location / {
...
location ~ \.php$ {
fastcgi_pass ...
}
}
location /images/ {
# just handle as static
}
Maxim Dounin
More information about the nginx
mailing list