On 10/31/19 10:49 AM, Thomas Stephen Lee wrote:
Hi,
what is the workaround for this?
https://www.nginx.com/blog/php-fpm-cve-2019-11043-vulnerability-nginx/
in either CentOS 7 or 8 ?
thanks
Thomas Stephen Lee _______________________________________________ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
The simplest is to conditionally set PATH_INFO if it's not empty:
fastcgi_param PATH_INFO $fastcgi_path_info if_not_empty;
Another option is to explicitly test whether the fastcgi script path exists :
if (!-f $document_root$fastcgi_script_name) { return 404; }