Understanding alias (used as rewrite)

E.B. emailbuilder88 at yahoo.com
Sat Jun 27 07:04:27 UTC 2015


> > i guess this was a security
> > measure to prevent sneaking around the
> > filesystem for php requests.
>
> I confess I've never been quite sure of the point of that line.
>
> I can see what it does, and I think that it might be useful in some
> limited circumstances which include "...and my php is configured badly
> and I won't change it..."; but I've tried to avoid those circumstances.
>
> > is there a
> > better way to effect same protection?
>
> If you can specify what you consider the "same protection" to be,
> then maybe.
>
> And kudos for correct use of the verb "to effect" ;-)
>
> > try_files $request_filename =404????
>
> That won't do what you want because of how try_files handles its not-last
> arguments.
>
> Possibly in this one specific case -- so not in fastcgi.conf that is
> included elsewhere --
>
>   try_files "" =404;
>
> would do it. But you know that you are sending SCRIPT_FILENAME (or
> whatever your fastcgi server honours) set to one specific filename only,
> and you know that the matching file exists. So what is the test doing
> that would be bad if it were not done?

I read more about what the "security protection"
could have been aiming at and I think it was as
you suspect, coverage for bad php config. To answer
your last question, php in some cases could execute
some code hidden in a .gif file if the .php path
didn't exist ("http://exmaple.org/test.gif/test.php")
so the test was trying to verify if test.php exists
or not. I thinking it's not the best way to protect this.

Thanks for your kind helpful responsing!



More information about the nginx mailing list