Possible widespread PHP configuration issue - security risk
Michael Shadle
mike503 at gmail.com
Fri Aug 27 23:06:23 MSD 2010
Initial testing shows:
cgi.fix_pathinfo = 0
and Igor's suggestion:
location ~ ^(?<script>.+\.php)(?<path_info>.*)$ {
fastcgi_pass 127.0.0.1:11000;
fastcgi_param SCRIPT_FILENAME $document_root$script;
fastcgi_param PATH_INFO $path_info;
include fastcgi_params;
}
To be working properly. I need to check out PATH_INFO using old style
and new style, make sure it still reports the expected behavior for
PHP scripts (PATH_INFO, PHP_SELF, all that jazz)
The one thing I don't like is now I have to hardcode that into each
place, unless I defined the fastcgi_pass location, and then just had a
php.conf - then all of this could be done with a single line of config
code.
set $fastcgi_pass = '127.0.0.1:11000';
include php.conf;
php.conf would have this:
location ~ ^(?<script>.+\.php)(?<path_info>.*)$ {
fastcgi_pass $fastcgi_pass;
fastcgi_param SCRIPT_FILENAME $document_root$script;
fastcgi_param PATH_INFO $path_info;
include fastcgi_params;
}
Would that be a workable solution Igor? Prior to this new style of PHP
handling I used to only need two lines:
fastcgi_pass 127.0.0.1:11000;
include fastcgi_params;
More information about the nginx
mailing list