fastcgi & index
António P. P. Almeida
appa at perusio.net
Thu Feb 13 13:47:35 UTC 2014
No I mean the \.php regex based one.
It's just that it opens the door to a lot of problems by allowing all .php
scripts to be
processed.
Furthermore it's even mentioned on the wiki Pitfalls page:
http://wiki.nginx.org/Pitfalls#Passing_Uncontrolled_Requests_to_PHP
----appa
On Thu, Feb 13, 2014 at 2:29 PM, Maxim Dounin <mdounin at mdounin.ru> wrote:
> Hello!
>
> On Thu, Feb 13, 2014 at 02:09:34PM +0100, António P. P. Almeida wrote:
>
> > This type of configuration is insecure since there's no whitelisting of
> the
> > PHP scripts to be processed.
>
> You mean "location / { fastcgi_pass ... }"? This type of
> configuration assumes that any files under "/" are php scripts,
> and it's ok to execute them.
>
> Obviously it won't be secure if you allow utrusted parties to put
> files there. But the problem is what you allow, not the
> configuration per se.
>
> --
> Maxim Dounin
> http://nginx.org/
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20140213/07af8ae4/attachment-0001.html>
More information about the nginx
mailing list