[Pkg-nginx-maintainers] Bug#841488: about index index.php
Ognyan Kulev
ognyan at ognyankulev.com
Sun Oct 23 06:52:22 UTC 2016
Hello,
I prepared a patch and it is attached.
The problem with PATH_INFO is explained in
https://nealpoole.com/blog/2011/04/setting-up-php-fastcgi-and-nginx-dont-trust-the-tutorials-check-your-configuration/
and
http://serverfault.com/questions/627903/is-the-php-option-cgi-fix-pathinfo-really-dangerous-with-nginx-php-fpm
. Debian already has protection against this problem by having
"try_files $uri =404;" in the fastcgi snippet and also default value
".php" for "security.limit_extensions". So I think it is safe to allow
path info after php url.
About the index directive, I'm not talking about moving the directive
itself, only moving the comment, so that everything about enabling php
is in one section of the file.
php7.0-fpm and php7.0-cgi are package names and ".0" shouldn't be dropped.
Best regards,
Ognyan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: nginx-php.diff
Type: text/x-patch
Size: 775 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-nginx-maintainers/attachments/20161023/b1b0fcbf/attachment.bin>
More information about the Pkg-nginx-maintainers
mailing list