Hello,
I prepared a patch and it is attached.
The problem with PATH_INFO is explained in
https://nealpoole.com/blog/2011/04/setting-up-php-fastcgi-and-nginx-dont-trust-the-tutorials-check-your-configuration/
and
http://serverfault.com/questions/627903/is-the-php-option-cgi-fix-pathinfo-really-dangerous-with-nginx-php-fpm
. Debian already has protection against this problem by having
"try_files $uri =404;" in the fastcgi snippet and also default value
".php" for "security.limit_extensions". So I think it is safe to allow
path info after php url.
About the index directive, I'm not talking about moving the directive
itself, only moving the comment, so that everything about enabling php
is in one section of the file.
php7.0-fpm and php7.0-cgi are package names and ".0" shouldn't be dropped.
Best regards,
Ognyan
--- default.orig 2016-10-23 09:12:14.000000000 +0300
+++ default 2016-10-23 09:19:03.478261829 +0300
@@ -40,7 +40,6 @@
root /var/www/html;
- # Add index.php to the list if you are using PHP
index index.html index.htm index.nginx-debian.html;
server_name _;
@@ -52,13 +51,14 @@
}
# pass PHP scripts to FastCGI server
+ # (usually you also need to add index.php to the index directive above)
#
- #location ~ \.php$ {
+ #location ~ \.php($|/) {
# include snippets/fastcgi-php.conf;
#
- # # With php5-fpm (or other unix sockets):
+ # # With php7.0-fpm (or other unix sockets):
# fastcgi_pass unix:/var/run/php7.0-fpm.sock;
- # # With php5-cgi (or other tcp sockets):
+ # # With php7.0-cgi (or other tcp sockets):
# fastcgi_pass 127.0.0.1:9000;
#}
