Yeah I expect nginx to only be aware of the filesystem it has access to. So open_file_cache saves stat calls? How do you invalidate the cache if a file is removed? Or if I put a new file that wasn't there I want it to instantly show up not 404 for a while? Apologies if you've covered this already.

On Aug 4, 2010, at 11:38 PM, Igor Sysoev <igor@sysoev.ru> wrote:

> On Wed, Aug 04, 2010 at 02:48:07PM -0700, Michael Shadle wrote:
>
>> On Wed, Aug 4, 2010 at 2:44 PM, Ed W <lists@wildgooses.com> wrote:
>>
>>> However, all the default configs that I have seen for PHP setups on the
>>> wiki, etc, seem insecure to my mind. They nearly all point *all* files
>>> named xx.php to be processed by the your php interpreter. Coupled with
>>> nearly all non trivial applications having some "upload" feature this allows
>>> a gaping potential issue to upload arbitrary files named xx.php and you are
>>> allowing arbitrary code to be uploaded...
>>
>> Someone just posted this on my blog:
>>
>> location ~ \.php$ {
>> ....
>> try_files $uri =404;
>> ...
>> }
>>
>> exploit http://site.ru/images/as5df3.jpeg/.php
>>
>> might be an interesting approach, haven't tried it yet. would this add
>> an additional stat call or two though for every PHP request, Igor?
>
> Yes, it adds a stat() syscall, however, it can be eliminated with
> open_file_cache. Note also, that it works only if nginx and php are
> on the same host.
>
>
> --
> Igor Sysoev
> http://sysoev.ru/en/
>
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> http://nginx.org/mailman/listinfo/nginx

_______________________________________________
nginx mailing list
nginx@nginx.org
http://nginx.org/mailman/listinfo/nginx