Passing Uncontrolled Requests to PHP

Does the wiki example mitigate the “Passing Uncontrolled Requests to
PHP” risk?

    location ~ [^/]\.php(/|$) {
            fastcgi_split_path_info ^(.+?\.php)(/.*)$;
            if (!-f $document_root$fastcgi_script_name) {
                    return 404;
            }

            fastcgi_pass 127.0.0.1:9000;
            fastcgi_index index.php;
            include fastcgi_params;
    }

http://wiki.nginx.org/PHPFcgiExample

http://wiki.nginx.org/Pitfalls#Passing_Uncontrolled_Requests_to_PHP

If not, I’d like to update it.

  • Grant

No you’re just addressing the cgi_fixpathinfo issue. If I manage to
upload
a file called owned.php
I can execute it because you don’t whitelist the scripts that can be
executed.

----appa

No you’re just addressing the cgi_fixpathinfo issue. If I manage to upload a
file called owned.php
I can execute it because you don’t whitelist the scripts that can be
executed.

So disabling PHP execution in user upload directories and using the
location block from the wiki should mitigate this risk?

  • Grant

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs