WordPress.org

Make WordPress Core

Changes between Initial Version and Version 1 of Ticket #18852, comment 18


Ignore:
Timestamp:
07/24/2012 09:10:27 PM (6 years ago)
Author:
brianlayman
Comment:

Legend:

Unmodified
Added
Removed
Modified
  • Ticket #18852, comment 18

    initial v1  
    11I think what is listed in this ticket is fine, but I want to raise awareness of the dangers of the try_files simply tossing all traffic that ends in .php over to be processed by fastcgi/whatever.
    22In some configurations a constructed url along the lines of :
    3 http://example.com/wp-content/uploads/2012/1/1/notrealla.jpg/.php
    4 will allow the file notrealla.jpg to be sent to the php engine for processing.  In that way a php file can be uploaded as a .jpg and then executed.
     3http://example.com/wp-content/uploads/2012/1/1/notreallya.jpg/.php
     4will allow the file notreallya.jpg to be sent to the php engine for processing.  In that way a php file can be uploaded as a .jpg and then executed.
    55
    66That's described here: http://forum.nginx.org/read.php?2,124297,page=1