Hello! On Thu, Feb 13, 2014 at 02:47:35PM +0100, António P. P. Almeida wrote:
> No I mean the \.php regex based one. So now you probably know why top-posting is discouraged. ;) > It's just that it opens the door to a lot of problems by allowing all .php > scripts to be > processed. > > Furthermore it's even mentioned on the wiki Pitfalls page: > http://wiki.nginx.org/Pitfalls#Passing_Uncontrolled_Requests_to_PHP Trivial and correct fix for the problem mentioned on the wiki is to properly configure php, with cgi.fix_pathinfo=0. I would also recommend not allowing php at all under the locations where you allow untrusted parties to put files - or, rather, only allow php under locations where are untrusted parties are not allowed to put files, by properly isolating \.php$ location. But again, there is nothing wrong with the configuration per se. -- Maxim Dounin http://nginx.org/ _______________________________________________ nginx mailing list [email protected] http://mailman.nginx.org/mailman/listinfo/nginx
