Welcome! Log In Create A New Profile

Advanced

Re: php-fpm not matching path correctly, executing any file

Posted by brianmercer 
Re: php-fpm not matching path correctly, executing any file
May 13, 2012 11:14AM
On 5/13/2012 10:39 AM, Ben Firshman wrote:
> Hi,
>
> I am using PHP-FPM with Nginx. PHP-FPM seems to execute any arbitrary file with a URL constructed like this:
>
> http://basschat.co.uk/favicon.ico/.php
> http://php-fpm.org/images/php-fastcgi.png/.php
>
> Does PHP-FPM strip off trailing directories until it finds a file that exists?
>
> We were bitten by this when a user uploaded an image with embedded code. I know we should have stopped code from running in this directory, but I was under the assumption that PHP-FPM just executes files that exist!
>
> Here is my Nginx config:
>
> location ~ .php$ {
> include fastcgi_params;
> fastcgi_index index.php;
> fastcgi_pass backend;
> fastcgi_connect_timeout 60;
> fastcgi_send_timeout 180;
> fastcgi_read_timeout 180;
> fastcgi_buffer_size 128k;
> fastcgi_buffers 4 256k;
> fastcgi_busy_buffers_size 256k;
> fastcgi_temp_file_write_size 256k;
> fastcgi_intercept_errors on;
> }
>
>
>
> Many thanks,
>
> Ben
>
>
>

Please read this thread: http://forum.nginx.org/read.php?2,88845

Your php location in nginx should be improved to check for existence of
the file and if your software uses path info you should consider passing
path info parameters with your nginx configuration and disabling
cgi.fix_pathinfo in php.ini.
Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 99
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 500 on July 15, 2024
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready