The default PHP example is insecure on Windows.
It needs to be ~* instead of ~. Otherwise, someone can request .PHP
instead of .php and
read the text of the PHP file. You may want to point this out somewhere
in the docs, or just
make the default matching ~* in the default, example configuration.
This is probably not an issue for people who think about it, but I
suspect many people will just
use the defaults.
-James
On Thu, Aug 27, 2009 at 11:40:11AM -0400, [email protected] wrote:
The default PHP example is insecure on Windows.
It needs to be ~* instead of ~. Otherwise, someone can request .PHP instead of .php and
read the text of the PHP file. You may want to point this out somewhere in the docs, or just
make the default matching ~* in the default, example configuration.This is probably not an issue for people who think about it, but I suspect many people will just
use the defaults.
Changes with nginx 0.8.6 20 Jul
2009
*) Bugfix: now in MacOSX, Cygwin, and nginx/Windows locations given
by
a regular expression are always tested in case insensitive mode.
This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.
Sponsor our Newsletter | Privacy Policy | Terms of Service | Remote Ruby Jobs