nginx 0day exploit for nginx + fastcgi PHP
Michael Shadle
mike503 at gmail.com
Sat May 22 05:31:08 MSD 2010
Yeah I've always had it set to 1 too. I think fastcgi_split_path_info
may be able to bridge the gap perhaps.
On May 21, 2010, at 6:17 PM, Grzegorz Sienko <staff at krecio.pl> wrote:
>> From php.ini
>
> ; previous behaviour was to set PATH_TRANSLATED to SCRIPT_FILENAME,
> and to not grok
> ; what PATH_INFO is. For more information on PATH_INFO, see the cgi
> specs. Setting
> ; this to 1 will cause PHP CGI to fix it's paths to conform to the
> spec. A setting
> ; of zero causes PHP to behave as before. Default is 1. You should
> fix your scripts
> ; to use SCRIPT_FILENAME rather than PATH_TRANSLATED.
> cgi.fix_pathinfo=1
>
>
> 2010/5/22 Cliff Wells <cliff at develix.com>:
>> On Fri, 2010-05-21 at 10:48 -0700, Michael Shadle wrote:
>>> Default is zero.
>>
>> Indeed.
>>
>> I can't find a single installation of PHP (amongst about 35 virtual
>> servers I checked) where this option isn't commented out (so
>> defaulting
>> to 0).
>>
>> Is there some widely-used PHP application that requires this be on?
>>
>> Cliff
>>
>> --
>>
>>
>> _______________________________________________
>> nginx mailing list
>> nginx at nginx.org
>> http://nginx.org/mailman/listinfo/nginx
>>
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://nginx.org/mailman/listinfo/nginx
More information about the nginx
mailing list