On Fri, Aug 27, 2010 at 11:13 AM, Cliff Wells <cliff@develix.com> wrote:
> It is subtle, but all fixes are, because the underlying vulnerability is
> quite subtle. What user isn't going to look at that and say to
> themselves "why do I need this if statement?". Just use the try_files
> and add a comment to its purpose.
The caveat with try_files is it means nginx has filesystem access to
check the existence of the file and an additional stat call (or more)
- it can be in the open file cache, modern systems it's not a huge
deal, etc, etc.
But it won't help if you're fastcgi_pass to a remote server that nginx
does not have the same path to the file (or have access to the php
file) at all.
_______________________________________________
nginx mailing list
nginx@nginx.org
http://nginx.org/mailman/listinfo/nginx