Possible widespread PHP configuration issue - security risk

Cliff Wells cliff at develix.com
Fri Aug 27 22:41:39 MSD 2010

On Fri, 2010-08-27 at 11:15 -0700, Michael Shadle wrote:
> On Fri, Aug 27, 2010 at 11:13 AM, Cliff Wells <cliff at develix.com> wrote:
> > It is subtle, but all fixes are, because the underlying vulnerability is
> > quite subtle.  What user isn't going to look at that and say to
> > themselves "why do I need this if statement?".   Just use the try_files
> > and add a comment to its purpose.
> The caveat with try_files is it means nginx has filesystem access to
> check the existence of the file and an additional stat call (or more)
> - it can be in the open file cache, modern systems it's not a huge
> deal, etc, etc.
> But it won't help if you're fastcgi_pass to a remote server that nginx
> does not have the same path to the file (or have access to the php
> file) at all.

Good point.   I do prefer your more general fix, although I'd like
confirmation that it does fully address the issue (the whole split_path
thing is too weird for me to want to try to understand).


More information about the nginx mailing list