From a177c0558ef18555df64f00b7f71978afdc1e0eb Mon Sep 17 00:00:00 2001 From: "Florian Aders (EleRas)" Date: Sat, 19 Nov 2011 11:39:40 +0100 Subject: [PATCH] Fixing vuln. in php + nginx - config, thx altmir for reporting, fixes #980 Signed-off-by: Florian Aders (EleRas) --- scripts/jobs/cron_tasks.inc.http.30.nginx.php | 2 ++ scripts/jobs/cron_tasks.inc.http.35.nginx_phpfpm.php | 2 ++ 2 files changed, 4 insertions(+) diff --git a/scripts/jobs/cron_tasks.inc.http.30.nginx.php b/scripts/jobs/cron_tasks.inc.http.30.nginx.php index b1d552fc..2db4d090 100644 --- a/scripts/jobs/cron_tasks.inc.http.30.nginx.php +++ b/scripts/jobs/cron_tasks.inc.http.30.nginx.php @@ -619,6 +619,8 @@ class nginx if($domain['phpenabled'] == '1') { $phpopts = "\t".'location ~ \.php$ {'."\n"; + $phpopts.= "\t\t".'try_files $uri =404;'."\n"; + $phpopts.= "\t\t".'fastcgi_split_path_info ^(.+\.php)(/.+)$;'."\n"; $phpopts.= "\t\t".'fastcgi_index index.php;'."\n"; //$phpopts.= "\t\t".'fastcgi_pass ' . $this->settings['system']['nginx_php_backend'] . ';' . "\n"; //$phpopts.= "\t\t".'fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;'."\n"; diff --git a/scripts/jobs/cron_tasks.inc.http.35.nginx_phpfpm.php b/scripts/jobs/cron_tasks.inc.http.35.nginx_phpfpm.php index 84fbe8f2..e9cdfadb 100644 --- a/scripts/jobs/cron_tasks.inc.http.35.nginx_phpfpm.php +++ b/scripts/jobs/cron_tasks.inc.http.35.nginx_phpfpm.php @@ -38,6 +38,8 @@ class nginx_phpfpm extends nginx $phpconfig = $php->getPhpConfig((int)$domain['phpsettingid']); $php_options_text = "\t".'location ~ \.php$ {'."\n"; + $php_options_text.= "\t\t".'try_files $uri =404;'."\n"; + $php_options_text.= "\t\t".'fastcgi_split_path_info ^(.+\.php)(/.+)$;'."\n"; $php_options_text.= "\t\t".'fastcgi_pass unix:' . $php->getInterface()->getSocketFile() . ';' . "\n"; $php_options_text.= "\t\t".'fastcgi_index index.php;'."\n"; $php_options_text.= "\t\t".'fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;'."\n";