Possible widespread PHP configuration issue - security risk

Michael Shadle mike503 at gmail.com
Fri Aug 27 23:06:23 MSD 2010


Initial testing shows:

cgi.fix_pathinfo = 0

and Igor's suggestion:

location ~ ^(?<script>.+\.php)(?<path_info>.*)$ {
    fastcgi_pass 127.0.0.1:11000;
    fastcgi_param   SCRIPT_FILENAME  $document_root$script;
    fastcgi_param   PATH_INFO        $path_info;
    include fastcgi_params;
}

To be working properly. I need to check out PATH_INFO using old style
and new style, make sure it still reports the expected behavior for
PHP scripts (PATH_INFO, PHP_SELF, all that jazz)

The one thing I don't like is now I have to hardcode that into each
place, unless I defined the fastcgi_pass location, and then just had a
php.conf - then all of this could be done with a single line of config
code.

set $fastcgi_pass = '127.0.0.1:11000';
include php.conf;

php.conf would have this:

location ~ ^(?<script>.+\.php)(?<path_info>.*)$ {
    fastcgi_pass $fastcgi_pass;
    fastcgi_param   SCRIPT_FILENAME  $document_root$script;
    fastcgi_param   PATH_INFO        $path_info;
    include fastcgi_params;
}

Would that be a workable solution Igor? Prior to this new style of PHP
handling I used to only need two lines:

fastcgi_pass 127.0.0.1:11000;
include fastcgi_params;



More information about the nginx mailing list