Default pwd of fastcgi scripts can change on every restart
In Lighttpd-1.4.6, the fastcgi pwd defaults to the dir in which the webserver was restarted so it breaks script compatibility with Apache2+mod_fastcgi and creates a perception of bad security.
For example, the following causes pwd in fastcgi scripts to be /:
cd / /etc/init.d/lighttpd restart
This causes several problems:
1. it breaks compatibility with scripts that run fine in Apache2 + mod_fastcgi and Apache2 + mod_fcgid which makes migrating from Apache2 to Lighttpd more troublesome
2. this behavior looks weak/improper to security professionals so it really doesn't matter if this can/will be exploited--the perception of bad security is not desirable in a web server
3. it can cause problems with scripts that are hard to track down. scripts can work fine for months until the webserver is restarted manually from a dir different from prior restarts
Make the default pwd of fastcgi scripts be the same dir in which the executed script file is located. If the script is /srv/www/foo/fastcgi/bar.rb, then default pwd should be /srv/www/foo/fastcgi/
Optionally add a directive that allows this to be set inside a config file--but the directive shouldn't be necessary if the aboved proposed fix is the generally accepted standard behavior of all other web servers.
Also available in: Atom