Possible widespread PHP configuration issue - security risk

Michael Shadle mike503 at gmail.com
Sat Aug 28 16:24:12 MSD 2010 

On Sat, Aug 28, 2010 at 3:14 AM, Ed W <lists at wildgooses.com> wrote:

> I will believe you that this works, but it seems incredibly subtle and I for
> one don't quite understand why it's working?
>
> My point is only that we need to document how/why this is the solution or
> users will deviate (innocently) and re-introduce the problem

It is a bit more complex to drop in and not as "straightforward" as
one might hope. At the moment I have this working:

main nginx.conf in a server {} block:

set $fastcgi 127.0.0.1:11000;
include confs/php.conf;

root at local:/etc/nginx# cat confs/php.conf
location ~ ^(?<script>.+\.php)(?<path_info>.*)$ {
        fastcgi_buffers 16 8k;
        fastcgi_buffer_size 8k;
        fastcgi_busy_buffers_size 16k;
        fastcgi_ignore_client_abort on;
        fastcgi_index index.php;
        fastcgi_intercept_errors on;
        fastcgi_param CONTENT_LENGTH $content_length;
        fastcgi_param CONTENT_TYPE $content_type;
        fastcgi_param DOCUMENT_ROOT $document_root;
        fastcgi_param DOCUMENT_URI $document_uri;
        fastcgi_param GATEWAY_INTERFACE CGI/1.1;
        fastcgi_param QUERY_STRING $query_string;
        fastcgi_param PATH_INFO $path_info;
        fastcgi_param REDIRECT_STATUS 200;
        fastcgi_param REMOTE_ADDR $remote_addr;
        fastcgi_param REMOTE_PORT $remote_port;
        fastcgi_param REQUEST_METHOD $request_method;
        fastcgi_param REQUEST_URI $request_uri;
        fastcgi_param SCRIPT_FILENAME  $document_root$script;
        fastcgi_param SCRIPT_NAME $fastcgi_script_name;
        fastcgi_param SERVER_ADDR $server_addr;
        fastcgi_param SERVER_NAME $http_host;
        fastcgi_param SERVER_PORT $server_port;
        fastcgi_param SERVER_PROTOCOL $server_protocol;
        fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
        fastcgi_pass $fastcgi;
}

Now, it looks like $_SERVER['PATH_INFO'] is never filled in unless you
have /foo.php/somethingafterit

With cgi.fix_pathinfo=1, PATH_INFO = "/foo.php/somethingafterit"
With cgi.fix_pathinfo=0, PATH_INFO = "/somethingafterit"

Otherwise, PATH_INFO is empty if there is nothing after the .php.

PHP_SELF is empty using the new style approach to the nginx config block.

Using the old style, $_SERVER['PHP_SELF'] works; I tried setting a
fastcgi_param for it, but it did not take. It seems like this is
derived internally in PHP and not able to be overridden.

A lot of things reference PHP_SELF, so this could introduce an issue.
It's late, but my quick tests show a glaring caveat with that.

More information about the nginx mailing list