Использую nginx+php-fpm и заметил такую странность — при POST запросе, если в содержимом формы встречается последовательность символов [b][i]<script[/i][/b] то получаю 400 Bad Request, но если у формы указан enctype="multipart/form-data" все работает как положено. Так и должно быть? С апачем подобного не замечал. Или это проказы php-fpm?

[code]
nginx version: nginx/0.8.53
built by gcc 4.1.2 20080704 (Red Hat 4.1.2-48)
configure arguments: --with-http_stub_status_module --without-mail_pop3_module --without-mail_imap_module --without-mail_smtp_module
[/code]


[code]
PHP 5.3.3 (fpm-fcgi) (built: Nov 25 2010 23:22:06)
Copyright (c) 1997-2009 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2010 Zend Technologies
[/code]

suhosin?

2010/12/9 xyan <nginx-forum@nginx.us>

> Использую nginx+php-fpm и заметил такую
> странность -- при POST запросе, если в
> содержимом формы встречается
> последовательность символов
> [b][i]<script[/i][/b] то получаю 400 Bad Request, но если
> у формы указан enctype="multipart/form-data" все
> работает как положено. Так и должно
> быть? С апачем подобного не замечал. Или
> это проказы php-fpm?
>
> [code]
> nginx version: nginx/0.8.53
> built by gcc 4.1.2 20080704 (Red Hat 4.1.2-48)
> configure arguments: --with-http_stub_status_module
> --without-mail_pop3_module --without-mail_imap_module
> --without-mail_smtp_module
> [/code]
>
>
> [code]
> PHP 5.3.3 (fpm-fcgi) (built: Nov 25 2010 23:22:06)
> Copyright (c) 1997-2009 The PHP Group
> Zend Engine v2.3.0, Copyright (c) 1998-2010 Zend Technologies
> [/code]
>
> Posted at Nginx Forum:
> http://forum.nginx.org/read.php?25,156930,156930#msg-156930
>
>

Dima Golovchenko Wrote:
-------------------------------------------------------
> suhosin?
>
PHP собран из стандартных исходников, разве сухосин патч включен в 5.3.3?

[code]
phpinfo()
PHP Version => 5.3.3

System => Linux hostname 2.6.18-028stab059.6-ent #1 SMP Fri Nov 14 15:51:43 MSK 2008 i686
Build Date => Nov 25 2010 23:09:05
Configure Command => './configure' '--with-mysql' '--enable-mbstring=all' '--with-zlib' '--with-iconv' '--with-gettext' '--with-mcrypt' '--enable-mbregex' '--with-openssl' '--enable-sockets' '--with-jpeg-dir=/usr/local' '--with-gd' '-
-with-freetype-dir=/usr/local/' '--with-curl' '--enable-fpm'
Server API => Command Line Interface
Virtual Directory Support => disabled
Configuration File (php.ini) Path => /usr/local/lib
Loaded Configuration File => /usr/local/lib/php.ini
Scan this dir for additional .ini files => (none)
Additional .ini files parsed => (none)
PHP API => 20090626
PHP Extension => 20090626
Zend Extension => 220090626
Zend Extension Build => API220090626,NTS
PHP Extension Build => API20090626,NTS
Debug Build => no
Thread Safety => disabled
Zend Memory Manager => enabled
Zend Multibyte Support => disabled
IPv6 Support => enabled
Registered PHP Streams => https, ftps, compress.zlib, php, file, glob, data, http, ftp, phar
Registered Stream Socket Transports => tcp, udp, unix, udg, ssl, sslv3, sslv2, tls
Registered Stream Filters => zlib.*, convert.iconv.*, mcrypt.*, mdecrypt.*, string.rot13, string.toupper, string.tolower, string.strip_tags, convert.*, consumed, dechunk
[/code]

а логи-то что говорят? кто отдает 400-й код, php или nginx?

2010/12/9 xyan <nginx-forum@nginx.us>

> Dima Golovchenko Wrote:
> -------------------------------------------------------
> > suhosin?
> >
> PHP собран из стандартных исходников,
> разве сухосин патч включен в 5.3.3?
>
> [code]
> phpinfo()
> PHP Version => 5.3.3
>
> System => Linux hostname 2.6.18-028stab059.6-ent #1 SMP Fri Nov 14
> 15:51:43 MSK 2008 i686
> Build Date => Nov 25 2010 23:09:05
> Configure Command => './configure' '--with-mysql'
> '--enable-mbstring=all' '--with-zlib' '--with-iconv' '--with-gettext'
> '--with-mcrypt' '--enable-mbregex' '--with-openssl' '--enable-sockets'
> '--with-jpeg-dir=/usr/local' '--with-gd' '-
> -with-freetype-dir=/usr/local/' '--with-curl' '--enable-fpm'
> Server API => Command Line Interface
> Virtual Directory Support => disabled
> Configuration File (php.ini) Path => /usr/local/lib
> Loaded Configuration File => /usr/local/lib/php.ini
> Scan this dir for additional .ini files => (none)
> Additional .ini files parsed => (none)
> PHP API => 20090626
> PHP Extension => 20090626
> Zend Extension => 220090626
> Zend Extension Build => API220090626,NTS
> PHP Extension Build => API20090626,NTS
> Debug Build => no
> Thread Safety => disabled
> Zend Memory Manager => enabled
> Zend Multibyte Support => disabled
> IPv6 Support => enabled
> Registered PHP Streams => https, ftps, compress.zlib, php, file, glob,
> data, http, ftp, phar
> Registered Stream Socket Transports => tcp, udp, unix, udg, ssl, sslv3,
> sslv2, tls
> Registered Stream Filters => zlib.*, convert.iconv.*, mcrypt.*,
> mdecrypt.*, string.rot13, string.toupper, string.tolower,
> string.strip_tags, convert.*, consumed, dechunk
> [/code]
>
> Posted at Nginx Forum:
> http://forum.nginx.org/read.php?25,156930,157114#msg-157114
>
>