Secure configs for php-fpm/pathinfo

[jkroepke]

Hi,

nginx and php-fpm has some security issue about the pathinfo feature... see https://superuser.com/questions/717863/nginxphp-fpm-setup-why-is-this-configuration-workaround-needed-to-properly-set for more informations..)

A recommended configuration is to use try_files. It must be under the fastcgi_split_path_info setting, currently this module write the try_files above fastcgi_split_path_info and should be changed. A pull request is available.

Due a bug in nginx, $fastcgi_split_path_info could be empty https://trac.nginx.org/nginx/ticket/321.

A workaround is to re-set the variable (see first comment in the issue). the set setting must be between fastcgi_split_path_info and fastcgi_pass. Currently I do not have any idea to implement this. A workaround is to hack the fastcgi_split_path like this:

fastcgi_split_path          => "^((?U).+?\\.php)(/.*)?\$;\nset \$path_info \$fastcgi_path_info;"

In my opinion , this should not be an valid solution..

[wyardley]

This seems reasonable to me, going to try and get signoff and then merge #736

[bastelfreak]

I'm closing this since the PR got merged. let us know if this still is an issue.