Welcome! Log In Create A New Profile

Advanced

Re: Possible widespread PHP configuration issue - security risk

August 28, 2010 08:28AM
On Sat, Aug 28, 2010 at 3:14 AM, Ed W <lists@wildgooses.com> wrote:

> I will believe you that this works, but it seems incredibly subtle and I for
> one don't quite understand why it's working?
>
> My point is only that we need to document how/why this is the solution or
> users will deviate (innocently) and re-introduce the problem

It is a bit more complex to drop in and not as "straightforward" as
one might hope. At the moment I have this working:

main nginx.conf in a server {} block:

set $fastcgi 127.0.0.1:11000;
include confs/php.conf;

root@local:/etc/nginx# cat confs/php.conf
location ~ ^(?<script>.+\.php)(?<path_info>.*)$ {
fastcgi_buffers 16 8k;
fastcgi_buffer_size 8k;
fastcgi_busy_buffers_size 16k;
fastcgi_ignore_client_abort on;
fastcgi_index index.php;
fastcgi_intercept_errors on;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param DOCUMENT_ROOT $document_root;
fastcgi_param DOCUMENT_URI $document_uri;
fastcgi_param GATEWAY_INTERFACE CGI/1.1;
fastcgi_param QUERY_STRING $query_string;
fastcgi_param PATH_INFO $path_info;
fastcgi_param REDIRECT_STATUS 200;
fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param REMOTE_PORT $remote_port;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param REQUEST_URI $request_uri;
fastcgi_param SCRIPT_FILENAME $document_root$script;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_NAME $http_host;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
fastcgi_pass $fastcgi;
}

Now, it looks like $_SERVER['PATH_INFO'] is never filled in unless you
have /foo.php/somethingafterit

With cgi.fix_pathinfo=1, PATH_INFO = "/foo.php/somethingafterit"
With cgi.fix_pathinfo=0, PATH_INFO = "/somethingafterit"

Otherwise, PATH_INFO is empty if there is nothing after the .php.

PHP_SELF is empty using the new style approach to the nginx config block.

Using the old style, $_SERVER['PHP_SELF'] works; I tried setting a
fastcgi_param for it, but it did not take. It seems like this is
derived internally in PHP and not able to be overridden.

A lot of things reference PHP_SELF, so this could introduce an issue.
It's late, but my quick tests show a glaring caveat with that.

_______________________________________________
nginx mailing list
nginx@nginx.org
http://nginx.org/mailman/listinfo/nginx
Subject Author Posted

Re: Possible widespread PHP configuration issue - security risk

Adam Younce August 27, 2010 02:04PM

Re: Possible widespread PHP configuration issue - security risk

mike August 27, 2010 02:10PM

Re: Possible widespread PHP configuration issue - security risk

Igor Sysoev August 27, 2010 02:44PM

Re: Possible widespread PHP configuration issue - security risk

mike August 27, 2010 02:48PM

Re: Possible widespread PHP configuration issue - security risk

Igor Sysoev August 27, 2010 02:58PM

Re: Possible widespread PHP configuration issue - security risk

mike August 27, 2010 03:12PM

Re: Possible widespread PHP configuration issue - security risk

Ed W August 28, 2010 06:18AM

Re: Possible widespread PHP configuration issue - security risk

mike August 28, 2010 08:28AM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 81
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 254 on July 05, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready