nginx 0day exploit for nginx + fastcgi PHP
Ian Evans
ianevans at digitalhit.com
Sat May 22 01:50:38 MSD 2010
>> And this will work with cgi.fix-pathinfo=0? Just want to confirm since I
>> only have my production server to test on. Guess I really need to dig
>> out
>> an old computer one day and just set it up as a local test server.
>
> It should work in 0.8.32+. What nginx version do you use ?
Running the latest 0.7.x series. Is 0.8.32+ stable enough for a production
server?
> You may create similar locations
>
> location ~ ^/(?<SN>CR|NEWS|...)(?<PI>/.*$|$) {
>
> to test.
>
It's not so much needing test locations. It's that turning off
cgi.fix-pathinfo will break my current setup so testing might be
problematic. I think the issue we had back in the '08 was that when it was
off there'd be problems with the path_info changing if someone added a
trailing slash so:
example.com/extensionless-script/123
example.com/extensionless-script/123/
produced wildly different results with regards to what was passed to the
script.
I guess I'll update to the latest 0.8.x, toss up a maintenance page, turn
off cgi.fix-pathinfo and try it from localhost.
More information about the nginx
mailing list