No I mean the \.php regex based one. It's just that it opens the door to a lot of problems by allowing all .php scripts to be processed.
Furthermore it's even mentioned on the wiki Pitfalls page: http://wiki.nginx.org/Pitfalls#Passing_Uncontrolled_Requests_to_PHP ----appa On Thu, Feb 13, 2014 at 2:29 PM, Maxim Dounin <[email protected]> wrote: > Hello! > > On Thu, Feb 13, 2014 at 02:09:34PM +0100, António P. P. Almeida wrote: > > > This type of configuration is insecure since there's no whitelisting of > the > > PHP scripts to be processed. > > You mean "location / { fastcgi_pass ... }"? This type of > configuration assumes that any files under "/" are php scripts, > and it's ok to execute them. > > Obviously it won't be secure if you allow utrusted parties to put > files there. But the problem is what you allow, not the > configuration per se. > > -- > Maxim Dounin > http://nginx.org/ > > _______________________________________________ > nginx mailing list > [email protected] > http://mailman.nginx.org/mailman/listinfo/nginx >
_______________________________________________ nginx mailing list [email protected] http://mailman.nginx.org/mailman/listinfo/nginx
