Welcome! Log In Create A New Profile

Advanced

setting url-decoded PATH_INFO, according to CGI specification

Posted by locojohn 
setting url-decoded PATH_INFO, according to CGI specification
July 07, 2011 07:27AM
Dear forum members and nginx developers,

I am running nginx 1.0.4 with php 5.3.6 on the linux server. Some older sites that we host require PATH_INFO to be set correctly. In certain cases, due to fairly complex rewrite rules required by the older CMS to work, we cannot set PATH_INFO using fastcgi_split_path_info (and also due to the fact that the infamous exploit exists: /uploads/evilimage.jpg/good/myscript.php will result in evilimage.jpg being interpreted as PHP file), so we must set PATH_INFO to a custom value, so it is interpreted correctly. According to the CGI 1.1 specification, PATH_INFO should contain url-decoded string, however, if I use "set" directive and extract parts of $request_uri into PATH_INFO, then it is passed always url-encoded:

if ($request_uri ~ ^([^?]+)) {
# set PATH_INFO to REQUEST_URI without arguments.
# at this stage, I cannot use $uri that already doesn't contain args,
# as this code is included right before calling fast cgi app,
# and $uri may hold the wrong value
set $path_info $1;
}

set $script_filename $request_filename;
if ($path_info ~ ^(\/index\.php|.+\.php)([^?]*)) {
# make sure we serve the right php script
set $script_filename $document_root$1;
set $path_info $2;
}

...

if (-f $script_filename) {
fastcgi_param SCRIPT_FILENAME $script_filename;
fastcgi_param PATH_INFO $path_info;
...
fastcgi_pass ....;
}

Is there a any way for PATH_INFO and/or other environment variables set with fastcgi_param to contain url-decoded strings ?

Is it set as url-decoded string when using fastcgi_split_path_info, actually?

Many thanks for any feedback in advance!

Andrejs



Edited 1 time(s). Last edit at 07/07/2011 07:27AM by locojohn.
Re: setting url-decoded PATH_INFO, according to CGI specification
July 15, 2011 01:42PM
Yes, there is. See my post at http://forum.nginx.org/read.php?11,212439 for more information.
Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 230
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 500 on July 15, 2024
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready