On 27/08/2010 18:05, Cliff Wells wrote:
> Nevertheless, I've updated the MediaWiki entry.
I'm still having problems getting to the wiki - no .js files are loading
which is causing some wierd stuff to happen.
However, my opinion is that just adding try_files is only a partial
fix. If some way is found to upload .php files (bad wikipedia config)
or some other exploit is found that can bypass the try_files then we
still have an issue.
My mediawiki config does this:
location ~ .*.php$ {
include /etc/nginx/fastcgi_params;
if ( $uri !~ "^/images/") {
fastcgi_pass localhost:9000;
}
}
Others have already pointed out that we can do better than my IF.
However, your try_files, plus the explicit exclusion of the /images/ dir
go a long way to secure mediawiki. Also I think the specific exclusion
of the /images/ dir becomes quite self-documenting, whereas the
try_files is quite a subtle fix?
Cheers
Ed W
_______________________________________________
nginx mailing list
nginx@nginx.org
http://nginx.org/mailman/listinfo/nginx