Stop "Passing Uncontrolled Requests to PHP"

https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/#passing-uncontrolled-requests-to-php

Many example NGINX configurations for PHP on the web advocate passing every URI ending in .php to the PHP interpreter. Note that this presents a serious security issue on most PHP setups as it may allow arbitrary code execution by third parties.

The fix is (probably) to use try_files $uri =404; as mentioned in the link.

Ex:

https://bbs.archlinux.org/foo.php
https://aur.archlinux.org/foo.php
https://bugs.archlinux.org/foo.php
more?

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information