Bug? php-source exposed when php=off with nginx

flexjoly

flexjoly

Verified User
Joined
Nov 2, 2016
Messages
86
Location
Apeldoorn, Netherlands
Hi,

Just testing the php=off feature for a domain. Knowing that nginx does not parse php on its own, but will expose the source-file.

If php is off for a user or domain, then nginx should disable any php/inc-file. So your source code is not shown by accident.

For now I added/changed the following in nginx_server[_secure].conf

Code: 
|*if PHP="ON"|
    index index.php index.html index.htm;
|*endif|
|*if PHP!="ON"|
location ~ \.php$  {
 return 404;
}

This works almost. But the internal redirect from http://domain.com without uri is still forwarded to index.php, and downloadable as source-file ??
---update--- after some other changes/rewrites this also is working and no php is exposed anymore.

At the moment I only copy/paste my old configs to the new server, and I forgot about all the different location settings.
As it was only for testing, I cannot dive into this now. But I hope DA will make a fix.

Thanks in advance
flexJoly
 
Last edited:
Why should it work differently? If you turn php off the webserver just does his task, serve you the file...

Why would you upload php files to a host where php is disabled?
 
Hi @Nickske00 ,

I did think of that too.
And it might be the case that some host a source-file library, where you want php-files to be downloadable.

But if someone (by accident) disables php, and then existing php-files are exposed.... you do NOT want that.

We are managing our own users, domains etc. So I do not worry about it.
But what happens when you have clients managing their own account....
And switching off php.... exposing your beloved core-business-php-sources.... ??

Yes it is just a worse case scenario. But it can be easily tackled by DA. I think.
This is only a problem for nginx. Not for apache. (other I do not know)

Greetz, flexJoly
 
You must log in or register to reply here.
Back
Top