fastcgi & index
Grant
emailgrant at gmail.com
Thu Feb 13 14:18:07 UTC 2014
>> No I mean the \.php regex based one.
>
> So now you probably know why top-posting is discouraged. ;)
>
>> It's just that it opens the door to a lot of problems by allowing all .php
>> scripts to be
>> processed.
>>
>> Furthermore it's even mentioned on the wiki Pitfalls page:
>> http://wiki.nginx.org/Pitfalls#Passing_Uncontrolled_Requests_to_PHP
>
> Trivial and correct fix for the problem mentioned on the wiki is
> to properly configure php, with cgi.fix_pathinfo=0.
>
> I would also recommend not allowing php at all under the locations
> where you allow untrusted parties to put files - or, rather, only
> allow php under locations where are untrusted parties are not
> allowed to put files, by properly isolating \.php$ location.
>
> But again, there is nothing wrong with the configuration per se.
Is the example from the wiki a good one to use?
location ~ [^/]\.php(/|$) {
http://wiki.nginx.org/PHPFcgiExample
- Grant
More information about the nginx
mailing list