On Fri, Apr 23, 2010 at 08:42:19AM +0200, Jérôme Loyet wrote:

> Hi guys,
>
> I'm working on php-fpm and I had an idea for a new feature.
>
> I'd like to pass fastcgi headers to php-fpm which will set some PHP
> ini defines. It's the same as php_value or php_admin_value from the
> php apache module. I imagine something like:
>
> fastcgi_param PHP_INI_VALUE "display_errors=off";
> fastcgi_param PHP_ADMIN_INI_VALUE "open_basedir=/var/www:/tmp";
>
> Even if it sounds great, I wonder if it could be a security breach
> somehow. Is there a way a request can overwrite those parameters by
> forging a particular request ?

No, requests headers are always prefixed with "HTTP_" when they are passed
to FastCGI.


--
Igor Sysoev
http://sysoev.ru/en/

_______________________________________________
nginx mailing list
nginx@nginx.org
http://nginx.org/mailman/listinfo/nginx