Welcome! Log In Create A New Profile

Re: Equivalent of Apache's SetEnv Variable

Forum List Message List New Topic Print View

Igor Sysoev

August 05, 2010 04:26AM

Admin
Registered: 15 years ago
Posts: 4,579

On Thu, Aug 05, 2010 at 10:11:29AM +0200, Grzegorz Nosek wrote:

> On Thu, Aug 05, 2010 at 12:09:33PM +0400, Igor Sysoev wrote:
> > What's about when "/dir/1.gif/2.php" is proxied to remote server ?
> > nginx has no access to a filesystem of the file.
>
> It doesn't go via the static module then and the patch won't do
> anything.

The issue is that someone is able to upload a image file to a directory
with scripts (I do not know why he is not able to override some valid
images or even the scripts themself in this case). Then someone requests
the image file as "/dir/1.gif/2.php" making exploit. I do not see
how using types will help in a case when nginx ahs not access to remote
filesystem.

--
Igor Sysoev
http://sysoev.ru/en/

_______________________________________________
nginx mailing list
nginx@nginx.org
http://nginx.org/mailman/listinfo/nginx

Reply Quote

RSS

Subject	Author	Posted
Equivalent of Apache's SetEnv Variable	Raina Gustafson	July 29, 2010 12:28PM
Re: Equivalent of Apache's SetEnv Variable	Eugaia	July 29, 2010 01:24PM
Re: Equivalent of Apache's SetEnv Variable	Igor Sysoev	July 29, 2010 01:32PM
Re: Equivalent of Apache's SetEnv Variable	Raina Gustafson	July 29, 2010 01:34PM
Re: Equivalent of Apache's SetEnv Variable	Raina Gustafson	August 03, 2010 05:08PM
Re: Equivalent of Apache's SetEnv Variable	mike	August 03, 2010 05:24PM
Re: Equivalent of Apache's SetEnv Variable	Raina Gustafson	August 03, 2010 07:20PM
Re: Equivalent of Apache's SetEnv Variable	mike	August 03, 2010 07:38PM
Re: Equivalent of Apache's SetEnv Variable	Raina Gustafson	August 03, 2010 07:52PM
Re: Equivalent of Apache's SetEnv Variable	mike	August 03, 2010 08:26PM
Re: Equivalent of Apache's SetEnv Variable	Ed W	August 04, 2010 05:50PM
Re: Equivalent of Apache's SetEnv Variable	mike	August 04, 2010 05:52PM
Re: Equivalent of Apache's SetEnv Variable	Igor Sysoev	August 05, 2010 02:48AM
Re: Equivalent of Apache's SetEnv Variable	mike	August 05, 2010 03:10AM
Re: Equivalent of Apache's SetEnv Variable	Igor Sysoev	August 05, 2010 03:32AM
Re: Equivalent of Apache's SetEnv Variable	Grzegorz Nosek	August 05, 2010 03:20AM
Re: Equivalent of Apache's SetEnv Variable	Igor Sysoev	August 05, 2010 03:38AM
Re: Equivalent of Apache's SetEnv Variable	Grzegorz Nosek	August 05, 2010 04:12AM
Re: Equivalent of Apache's SetEnv Variable	Igor Sysoev	August 05, 2010 04:12AM
Re: Equivalent of Apache's SetEnv Variable	Grzegorz Nosek	August 05, 2010 04:18AM
Re: Equivalent of Apache's SetEnv Variable	Igor Sysoev	August 05, 2010 04:26AM
Re: Equivalent of Apache's SetEnv Variable	Grzegorz Nosek	August 05, 2010 04:54AM
Re: Equivalent of Apache's SetEnv Variable	mike	August 05, 2010 05:18AM
Re: Equivalent of Apache's SetEnv Variable	Igor Sysoev	August 05, 2010 06:02AM
Re: Equivalent of Apache's SetEnv Variable	Grzegorz Nosek	August 05, 2010 06:22AM
Re: Equivalent of Apache's SetEnv Variable	mike	August 05, 2010 06:26AM
Re: Equivalent of Apache's SetEnv Variable	Grzegorz Nosek	August 05, 2010 06:46AM
Re: Equivalent of Apache's SetEnv Variable	mike	August 05, 2010 06:52AM
Re: Equivalent of Apache's SetEnv Variable	Grzegorz Nosek	August 05, 2010 07:04AM
Re: Equivalent of Apache's SetEnv Variable	Igor Sysoev	August 05, 2010 07:16AM
Re: Equivalent of Apache's SetEnv Variable	Igor Sysoev	August 05, 2010 07:18AM
Re: Equivalent of Apache's SetEnv Variable	Igor Sysoev	August 05, 2010 06:50AM
Re: Equivalent of Apache's SetEnv Variable	Grzegorz Nosek	August 05, 2010 06:52AM
Re: Equivalent of Apache's SetEnv Variable	mike	August 05, 2010 03:42AM
Re: Equivalent of Apache's SetEnv Variable	Grzegorz Nosek	August 05, 2010 04:14AM
Re: Equivalent of Apache's SetEnv Variable	mike	August 05, 2010 04:18AM
Re: Equivalent of Apache's SetEnv Variable	Cliff Wells	August 04, 2010 10:48PM
Re: Equivalent of Apache's SetEnv Variable	Ed W	August 26, 2010 07:12AM
Re: Equivalent of Apache's SetEnv Variable	mike	August 26, 2010 07:22AM
Re: Equivalent of Apache's SetEnv Variable	Jim Ohlstein	August 26, 2010 10:28PM
Re: Equivalent of Apache's SetEnv Variable	Ed W	August 27, 2010 11:00AM
Re: Equivalent of Apache's SetEnv Variable	mike	August 04, 2010 06:20AM
Re: Equivalent of Apache's SetEnv Variable	Raina Gustafson	August 04, 2010 10:58AM
Re: Equivalent of Apache's SetEnv Variable	mike	August 04, 2010 04:04PM
Re: Equivalent of Apache's SetEnv Variable	Raina Gustafson	August 04, 2010 11:14AM
Re: Equivalent of Apache's SetEnv Variable	mike	August 04, 2010 04:00PM

Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 158

Record Number of Users: 8 on April 13, 2023

Record Number of Guests: 421 on December 02, 2018