[CentOS] PHP FPM issue

Thu Oct 31 14:58:38 UTC 2019
Marius ROMAN <marius at roman.systems>

On 10/31/19 10:49 AM, Thomas Stephen Lee wrote:
> Hi,
>
> what is the workaround for this?
>
> https://www.nginx.com/blog/php-fpm-cve-2019-11043-vulnerability-nginx/
>
> in either CentOS 7 or 8 ?
>
> thanks
>
> ---
> Thomas Stephen Lee
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos

The simplest is to conditionally set PATH_INFO if it's not empty:

fastcgi_param PATH_INFO $fastcgi_path_info if_not_empty;

Another option is to explicitly test whether the fastcgi script path 
exists :

if (!-f $document_root$fastcgi_script_name) {
                                 return 404;
}

-- 
Marius