On 5/13/2012 10:39 AM, Ben Firshman wrote:
> Hi,
>
> I am using PHP-FPM with Nginx. PHP-FPM seems to execute any arbitrary file with a URL constructed like this:
>
> http://basschat.co.uk/favicon.ico/.php
> http://php-fpm.org/images/php-fastcgi.png/.php
>
> Does PHP-FPM strip off trailing directories until it finds a file that exists?
>
> We were bitten by this when a user uploaded an image with embedded code. I know we should have stopped code from running in this directory, but I was under the assumption that PHP-FPM just executes files that exist!
>
> Here is my Nginx config:
>
> location ~ .php$ {
> include fastcgi_params;
> fastcgi_index index.php;
> fastcgi_pass backend;
> fastcgi_connect_timeout 60;
> fastcgi_send_timeout 180;
> fastcgi_read_timeout 180;
> fastcgi_buffer_size 128k;
> fastcgi_buffers 4 256k;
> fastcgi_busy_buffers_size 256k;
> fastcgi_temp_file_write_size 256k;
> fastcgi_intercept_errors on;
> }
>
>
>
> Many thanks,
>
> Ben
>
>
>
Please read this thread: http://forum.nginx.org/read.php?2,88845
Your php location in nginx should be improved to check for existence of
the file and if your software uses path info you should consider passing
path info parameters with your nginx configuration and disabling
cgi.fix_pathinfo in php.ini.