Hi BR and thank you for your reply. You said:
> Where does the 'sites-available' directory of nginx came from?
Standard "apt-get install nginx" on Ubunutu. Stable and mainline.
Like Apache, 'sites-available' contains all sites, then you can symlink to 'sites-enabled' for running sites.
It's just the Ubuntu way :)
> There is no such DOCUMENT_URI server variable in PHP
> The nginx wiki has not the reputation of being a trustable source
I know you say not to trust the wiki (it appears in http://wiki.nginx.org/PHPFcgiExample) but it also is in the standard install of nginx on ubuntu which comes with an /etc/nginx/fastcgi_params file containing
fastcgi_param DOCUMENT_URI $document_uri;
Perhaps it should not even be there? Should I report it as a possible error to the Ubuntu package maintainers?
> The '0' value seems to exist for backward-compatibility as it provides a broken environment.
> Thus, scripts relying on such a value are highly suspicious to my eyes.
> What exactly are you referring to in the pitfalls page saying that you setup is dangerous?
Well, in your reply you say that it provides a broken environment, but as I mentioned, in both the nginx wiki AND in the default config file which comes with a standard nginx install on Ubuntu, it says
# NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini
So, you can understand my confusion here! PHP says leave it on. You say leave it on. Nginx stand install and wiki says turn it off so that nginx doesn't keep trying files. The pitfalls page says:
------------------------
"For instance, if a request is made for /forum/avatar/1232.jpg/file.php which does not exist but if /forum/avatar/1232.jpg does, the PHP interpreter will process /forum/avatar/1232.jpg instead. If this contains embedded PHP code, this code will be executed accordingly.
Options for avoiding this are:
Set cgi.fix_pathinfo=0 in php.ini. This causes the PHP interpreter to only try the literal path given and to stop processing if the file is not found."
------------------------
So what I meant was that setting cgi.fix_pathinfo = 1 may leave this security gap of executing unwanted code.