Hacker News new | past | comments | ask | show | jobs | submit login




That's not really nginx's fault, its behaviour is quite sensible. The main problem is that PHP does some poorly-documented magic behind the scenes[1] that modifies the information nginx gives it in a way that causes security issues. The solution is not to do that; if you really need the path-splitting functionality that cgi.fix_pathinfo provides, it's better and safer to set fastcgi_split_path_info in the nginx configuration instead.

[1] http://php.net/manual/en/ini.core.php#ini.cgi.fix-pathinfo - the docs on cgi.fix_pathinfo don't mention that it affects which PHP file gets executed at all.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: