Welcome! Log In Create A New Profile

Advanced

Re: Confusion over apparently conflicting advice in guide/wiki/examples

March 04, 2014 03:51PM
Hi BR and thank you for your reply. You said:

> Where does the 'sites-available' directory of nginx came from?

Standard "apt-get install nginx" on Ubunutu. Stable and mainline.
Like Apache, 'sites-available' contains all sites, then you can symlink to 'sites-enabled' for running sites.
It's just the Ubuntu way :)

> There is no such DOCUMENT_URI server variable in PHP
> The nginx wiki has not the reputation of being a trustable source

I know you say not to trust the wiki (it appears in http://wiki.nginx.org/PHPFcgiExample) but it also is in the standard install of nginx on ubuntu which comes with an /etc/nginx/fastcgi_params file containing
fastcgi_param DOCUMENT_URI $document_uri;

Perhaps it should not even be there? Should I report it as a possible error to the Ubuntu package maintainers?

> The '0' value seems to exist for backward-compatibility as it provides a broken environment.
> Thus, scripts relying on such a value are highly suspicious to my eyes.
> What exactly are you referring to in the pitfalls page saying that you setup is dangerous?‚Äč

Well, in your reply you say that it provides a broken environment, but as I mentioned, in both the nginx wiki AND in the default config file which comes with a standard nginx install on Ubuntu, it says
# NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini

So, you can understand my confusion here! PHP says leave it on. You say leave it on. Nginx stand install and wiki says turn it off so that nginx doesn't keep trying files. The pitfalls page says:

------------------------
"For instance, if a request is made for /forum/avatar/1232.jpg/file.php which does not exist but if /forum/avatar/1232.jpg does, the PHP interpreter will process /forum/avatar/1232.jpg instead. If this contains embedded PHP code, this code will be executed accordingly.
Options for avoiding this are:
Set cgi.fix_pathinfo=0 in php.ini. This causes the PHP interpreter to only try the literal path given and to stop processing if the file is not found."
------------------------

So what I meant was that setting cgi.fix_pathinfo = 1 may leave this security gap of executing unwanted code.
Subject Author Posted

Confusion over apparently conflicting advice in guide/wiki/examples

talkingnews March 03, 2014 04:11PM

Re: Confusion over apparently conflicting advice in guide/wiki/examples

B.R. March 04, 2014 04:02AM

Re: Confusion over apparently conflicting advice in guide/wiki/examples

talkingnews March 04, 2014 03:51PM

Re: Confusion over apparently conflicting advice in guide/wiki/examples

talkingnews March 05, 2014 04:52PM

Re: Confusion over apparently conflicting advice in guide/wiki/examples

Francis Daly March 04, 2014 04:42PM

Re: Confusion over apparently conflicting advice in guide/wiki/examples

Francis Daly March 05, 2014 06:32PM

Re: Confusion over apparently conflicting advice in guide/wiki/examples

Francis Daly March 04, 2014 04:32PM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 82
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready