php_info - fastcgi_split_path_info - Not does not work
Posted by edisoti
|
php_info - fastcgi_split_path_info - Not does not work October 20, 2011 02:21PM |
Registered: 12 years ago Posts: 5 |
I am having trouble setting the PATH_INFO
I want accessing thus:
http://www.examples.com/test.php/images/test/000001
LOGS
2011/10/20 15:54:51 [error] 76110#0: *1 open() "/var/www1/examples.com/test.php/dddd/eeee" failed (20: Not a directory), client: 200.12.10.92, server: examples.com, request: "GET /test.php/dddd/eeee HTTP/1.1", host: "www.examples.com"
Edited 1 time(s). Last edit at 10/20/2011 02:27PM by edisoti.
I want accessing thus:
http://www.examples.com/test.php/images/test/000001
LOGS
2011/10/20 15:54:51 [error] 76110#0: *1 open() "/var/www1/examples.com/test.php/dddd/eeee" failed (20: Not a directory), client: 200.12.10.92, server: examples.com, request: "GET /test.php/dddd/eeee HTTP/1.1", host: "www.examples.com"
Edited 1 time(s). Last edit at 10/20/2011 02:27PM by edisoti.
|
Re: php_info - fastcgi_split_path_info - Not does not work October 21, 2011 08:27PM |
Registered: 12 years ago Posts: 7 |
By any chance did you try changing:
location ~ ^.+\.php$ {
include fastcgi_params;
fastcgi_intercept_errors on;
fastcgi_pass unix:/tmp/php.socket;
}
to remove the $ from .php$? so it reads:
location ~ ^.+\.php {
include fastcgi_params;
fastcgi_intercept_errors on;
fastcgi_pass unix:/tmp/php.socket;
}
I tried a setup like your and a bunch of variations and couldnt get it to work... Curious whether it works for you... My post with similar issue... http://forum.nginx.org/read.php?11,217039
location ~ ^.+\.php$ {
include fastcgi_params;
fastcgi_intercept_errors on;
fastcgi_pass unix:/tmp/php.socket;
}
to remove the $ from .php$? so it reads:
location ~ ^.+\.php {
include fastcgi_params;
fastcgi_intercept_errors on;
fastcgi_pass unix:/tmp/php.socket;
}
I tried a setup like your and a bunch of variations and couldnt get it to work... Curious whether it works for you... My post with similar issue... http://forum.nginx.org/read.php?11,217039
|
Re: php_info - fastcgi_split_path_info - Not does not work October 23, 2011 05:54AM |
Registered: 12 years ago Posts: 226 |
RVN Wrote:
-------------------------------------------------------
> By any chance did you try changing:
>
> location ~ ^.+\.php$ {
> include
> fastcgi_params;
> fastcgi_intercept_errors
> on;
> fastcgi_pass
> unix:/tmp/php.socket;
> }
>
> to remove the $ from .php$?
It's all subject to infamous vulnerabilty when a user can just access URLs like "/path/to/image.jpg/test/test.php/more/to/it", where "image.jpg" may be served as a PHP script, depending on the configuration and the site. This can turn into an exploit if a user has the rights to upload image files like image.jpg that would contain malicious PHP code, and then link to it in the above way. This is unless "cgi.fix_pathinfo = 0" is specified in php.ini. More on vulnerability issue:
http://forum.nginx.org/read.php?2,88845,88996
In general, it's better not to rely on PATH_INFO. If it's required by some older scripts, however, the following is a more secure option:
http://forum.nginx.org/read.php?11,217039
Andrejs
Edited 2 time(s). Last edit at 10/23/2011 05:55AM by locojohn.
-------------------------------------------------------
> By any chance did you try changing:
>
> location ~ ^.+\.php$ {
> include
> fastcgi_params;
> fastcgi_intercept_errors
> on;
> fastcgi_pass
> unix:/tmp/php.socket;
> }
>
> to remove the $ from .php$?
It's all subject to infamous vulnerabilty when a user can just access URLs like "/path/to/image.jpg/test/test.php/more/to/it", where "image.jpg" may be served as a PHP script, depending on the configuration and the site. This can turn into an exploit if a user has the rights to upload image files like image.jpg that would contain malicious PHP code, and then link to it in the above way. This is unless "cgi.fix_pathinfo = 0" is specified in php.ini. More on vulnerability issue:
http://forum.nginx.org/read.php?2,88845,88996
In general, it's better not to rely on PATH_INFO. If it's required by some older scripts, however, the following is a more secure option:
http://forum.nginx.org/read.php?11,217039
Andrejs
Edited 2 time(s). Last edit at 10/23/2011 05:55AM by locojohn.
|
Re: php_info - fastcgi_split_path_info - Not does not work October 23, 2011 07:39AM |
Registered: 12 years ago Posts: 5 |
|
Re: php_info - fastcgi_split_path_info - Not does not work October 23, 2011 07:58AM |
Registered: 12 years ago Posts: 5 |
Sorry, only registered users may post in this forum.
Online Users
Guests:
223
Record Number of Users:
8
on April 13, 2023
Record Number of Guests:
421
on December 02, 2018
This forum is powered by Phorum.
 |
 |
 |
 |
|