Welcome! Log In Create A New Profile

Re: Confusion over apparently conflicting advice in guide/wiki/examples

Forum List Message List New Topic Print View

Francis Daly

March 04, 2014 04:42PM

On Tue, Mar 04, 2014 at 03:51:36PM -0500, talkingnews wrote:

Hi there,

continuing from my previous mail...

> > There is no such DOCUMENT_URI server variable in PHP
> > The nginx wiki has not the reputation of being a trustable source
>
> I know you say not to trust the wiki (it appears in
> http://wiki.nginx.org/PHPFcgiExample) but it also is in the standard install
> of nginx on ubuntu which comes with an /etc/nginx/fastcgi_params file
> containing
> fastcgi_param DOCUMENT_URI $document_uri;
>
> Perhaps it should not even be there? Should I report it as a possible error
> to the Ubuntu package maintainers?

nginx is the fastcgi client. It can send any key/value pairs to the
fastcgi server. If you read the fastcgi spec, you'll see that certain keys
are expected to exist. And if you read your fastcgi server documentation,
you'll see that certain keys are heeded. Those lists of keys may not
be identical.

A lot of the fastcgi_params file seems to be things that some common
fastcgi servers and/or the code they run will typically make use of. They
are things added to be helpful in some cases, which are unlikely to ever
be harmful.

Perhaps your fastcgi server will be happy with just "fastcgi_param
SCRIPT_FILENAME /tmp/env.php", and with no other fastcgi_param values
at all. Or perhaps it ignores SCRIPT_FILENAME and instead uses some
different keys to identify the file to be processed.

And perhaps your next fastcgi server will do something different.

You must configure your nginx to say whatever your fastcgi server needs
to hear. Many of the "default" params are to make it Just Work with
different servers. (I think.)

> So, you can understand my confusion here! PHP says leave it on. You say
> leave it on. Nginx stand install and wiki says turn it off so that nginx
> doesn't keep trying files.

No. nginx doesn't keep trying files. The fastcgi server might, but that's
a "fix your fastcgi server" issue.

> So what I meant was that setting cgi.fix_pathinfo = 1 may leave this
> security gap of executing unwanted code.

....in the php interpreter.

Not in nginx. Fix php problems in php, and things will be easier.

Cheers,

f
--
Francis Daly francis@daoine.org

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

Reply Quote

RSS

Subject	Author	Posted
Confusion over apparently conflicting advice in guide/wiki/examples	talkingnews	March 03, 2014 04:11PM
Re: Confusion over apparently conflicting advice in guide/wiki/examples	B.R.	March 04, 2014 04:02AM
Re: Confusion over apparently conflicting advice in guide/wiki/examples	talkingnews	March 04, 2014 03:51PM
Re: Confusion over apparently conflicting advice in guide/wiki/examples	talkingnews	March 05, 2014 04:52PM
Re: Confusion over apparently conflicting advice in guide/wiki/examples	Francis Daly	March 04, 2014 04:42PM
Re: Confusion over apparently conflicting advice in guide/wiki/examples	Francis Daly	March 05, 2014 06:32PM
Re: Confusion over apparently conflicting advice in guide/wiki/examples	Francis Daly	March 04, 2014 04:32PM

Sorry, only registered users may post in this forum.

Click here to login

Online Users

r12477

Guests: 101

Record Number of Users: 8 on April 13, 2023

Record Number of Guests: 421 on December 02, 2018