Welcome! Log In Create A New Profile

Re: Possible widespread PHP configuration issue - security risk

Forum List Message List New Topic Print View

Maxim Dounin

August 27, 2010 01:26PM

Hello!

On Fri, Aug 27, 2010 at 05:42:38PM +0100, Ed W wrote:

[...]

> Look, heres my best attempt. I think it's poor hence I hope someone
> has a better suggestion:
>
>
> Single script, enable only that single script:
>
> location ~ /blah/script\.php$ {
> include /etc/nginx/fastcgi_params;
> fastcgi_pass localhost:9000;
> }

Use exact match location instead:

location = /blah/script.php {
...
}

> Exclude single dir, everything else executable:
>
> location ~ .*.php$ {
> include /etc/nginx/fastcgi_params;
> if ( $uri !~ "^/images/") {
> fastcgi_pass localhost:9000;
> }
> }

Use normal location instead, with "^~" (don't execute regexp
locations) modifier:

location ^~ /images/ {
# just handle as static, don't consult regexps
}

location ~ \.php$ {
fastcgi_pass ...
}

Or, alternatively (and much more clear, but may have problems
in older nginx versions), use inclusive/nested locations:

location / {
...

location ~ \.php$ {
fastcgi_pass ...
}
}

location /images/ {
# just handle as static
}

Maxim Dounin

_______________________________________________
nginx mailing list
nginx@nginx.org
http://nginx.org/mailman/listinfo/nginx

Reply Quote

RSS

Subject	Author	Posted
Possible widespread PHP configuration issue - security risk	Ed W	August 27, 2010 11:28AM
Re: Possible widespread PHP configuration issue - security risk	zuborg	August 27, 2010 11:47AM
Re: Possible widespread PHP configuration issue - security risk	Jim Ohlstein	August 27, 2010 11:50AM
Re: Possible widespread PHP configuration issue - security risk	Ed W	August 27, 2010 12:10PM
Re: Possible widespread PHP configuration issue - security risk	Jim Ohlstein	August 27, 2010 12:18PM
Re: Possible widespread PHP configuration issue - security risk	Ed W	August 27, 2010 12:30PM
Re: Possible widespread PHP configuration issue - security risk	vesperto	August 27, 2010 12:36PM
Re: Possible widespread PHP configuration issue - security risk	Ed W	August 27, 2010 12:48PM
Re: Possible widespread PHP configuration issue - security risk	Cliff Wells	August 27, 2010 01:14PM
Re: Possible widespread PHP configuration issue - security risk	Ed W	August 27, 2010 01:24PM
Re: Possible widespread PHP configuration issue - security risk	Cliff Wells	August 27, 2010 01:50PM
Re: Possible widespread PHP configuration issue - security risk	Ed W	August 27, 2010 01:54PM
Re: Possible widespread PHP configuration issue - security risk	Ed W	August 27, 2010 01:52PM
Re: Possible widespread PHP configuration issue - security risk	ubitux	August 27, 2010 01:56PM
Re: Possible widespread PHP configuration issue - security risk	Cliff Wells	August 27, 2010 02:10PM
Re: Possible widespread PHP configuration issue - security risk	Cliff Wells	August 27, 2010 02:16PM
Re: Possible widespread PHP configuration issue - security risk	mike	August 27, 2010 02:22PM
Re: Possible widespread PHP configuration issue - security risk	Cliff Wells	August 27, 2010 02:44PM
Re: Possible widespread PHP configuration issue - security risk	Ed W	August 28, 2010 06:38AM
Re: Possible widespread PHP configuration issue - security risk	brianmercer	August 27, 2010 12:22PM
Re: Possible widespread PHP configuration issue - security risk	Ed W	August 27, 2010 12:26PM
Re: Possible widespread PHP configuration issue - security risk	Ed W	August 27, 2010 12:46PM
Re: Possible widespread PHP configuration issue - security risk	brianmercer	August 27, 2010 01:17PM
Re: Possible widespread PHP configuration issue - security risk	Maxim Dounin	August 27, 2010 01:26PM
Re: Possible widespread PHP configuration issue - security risk	Boris Dolgov	August 27, 2010 01:26PM
Re: Possible widespread PHP configuration issue - security risk	Ed W	August 27, 2010 01:38PM
Re: Possible widespread PHP configuration issue - security risk	Ed W	August 27, 2010 12:52PM
Re: Possible widespread PHP configuration issue - security risk	Raina Gustafson	August 27, 2010 01:02PM
Re: Possible widespread PHP configuration issue - security risk	Ensiferous	August 30, 2010 12:46PM

Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 276

Record Number of Users: 8 on April 13, 2023

Record Number of Guests: 421 on December 02, 2018