aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--doc/install/sample-nginx.conf16
-rw-r--r--include/dir_fns.php2
2 files changed, 14 insertions, 4 deletions
diff --git a/doc/install/sample-nginx.conf b/doc/install/sample-nginx.conf
index 57a0e63b5..396e39fb8 100644
--- a/doc/install/sample-nginx.conf
+++ b/doc/install/sample-nginx.conf
@@ -85,7 +85,7 @@ server {
# otherwise fall back to front controller
# allow browser to cache them
# added .htm for advanced source code editor library
- location ~* \.(jpg|jpeg|gif|png|ico|css|js|htm|html|ttf|svg)$ {
+ location ~* \.(jpg|jpeg|gif|png|ico|css|js|htm|html|ttf|woff|svg)$ {
expires 30d;
try_files $uri /index.php?q=$uri&$args;
}
@@ -98,16 +98,26 @@ server {
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
# or a unix socket
location ~* \.php$ {
- fastcgi_split_path_info ^(.+\.php)(/.+)$;
+ # Zero-day exploit defense.
+ # http://forum.nginx.org/read.php?2,88845,page=3
+ # Won't work properly (404 error) if the file is not stored on this
+ # server, which is entirely possible with php-fpm/php-fcgi.
+ # Comment the 'try_files' line out if you set up php-fpm/php-fcgi on
+ # another machine. And then cross your fingers that you won't get hacked.
+ try_files $uri =404;
+
# NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini
+ fastcgi_split_path_info ^(.+\.php)(/.+)$;
# With php5-cgi alone:
# fastcgi_pass 127.0.0.1:9000;
# With php5-fpm:
fastcgi_pass unix:/var/run/php5-fpm.sock;
- fastcgi_index index.php;
+
include fastcgi_params;
+ fastcgi_index index.php;
+ fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
}
# deny access to all dot files
diff --git a/include/dir_fns.php b/include/dir_fns.php
index fef58428f..0c9a6bd9f 100644
--- a/include/dir_fns.php
+++ b/include/dir_fns.php
@@ -20,7 +20,7 @@ function dir_sort_links() {
return $o;
}
-function dir_safe_mode(&$a) {
+function dir_safe_mode() {
$observer = get_observer_hash();
if ($observer)