Dear forum members and nginx developers,
I am running nginx 1.0.4 with php 5.3.6 on the linux server. Some older sites that we host require PATH_INFO to be set correctly. In certain cases, due to fairly complex rewrite rules required by the older CMS to work, we cannot set PATH_INFO using fastcgi_split_path_info (and also due to the fact that the infamous exploit exists: /uploads/evilimage.jpg/good/myscript.php will result in evilimage.jpg being interpreted as PHP file), so we must set PATH_INFO to a custom value, so it is interpreted correctly. According to the CGI 1.1 specification, PATH_INFO should contain url-decoded string, however, if I use "set" directive and extract parts of $request_uri into PATH_INFO, then it is passed always url-encoded:
if ($request_uri ~ ^([^?]+)) {
# set PATH_INFO to REQUEST_URI without arguments.
# at this stage, I cannot use $uri that already doesn't contain args,
# as this code is included right before calling fast cgi app,
# and $uri may hold the wrong value
set $path_info $1;
}
set $script_filename $request_filename;
if ($path_info ~ ^(\/index\.php|.+\.php)([^?]*)) {
# make sure we serve the right php script
set $script_filename $document_root$1;
set $path_info $2;
}
...
if (-f $script_filename) {
fastcgi_param SCRIPT_FILENAME $script_filename;
fastcgi_param PATH_INFO $path_info;
...
fastcgi_pass ....;
}
Is there a any way for PATH_INFO and/or other environment variables set with fastcgi_param to contain url-decoded strings ?
Is it set as url-decoded string when using fastcgi_split_path_info, actually?
Many thanks for any feedback in advance!
Andrejs
Edited 1 time(s). Last edit at 07/07/2011 07:27AM by locojohn.