Updated Nginx and PHP on my server to the latest stable versions. PHP is currently 5.4.6.
After the update FCKEditor stopped working — instead of it I was getting an «Access Denied» message.
FCKEditor is rendered on the page through an iframe, and that’s where the message was hanging. I dug through the editor’s sources thinking maybe there was some PHP version check somewhere, but didn’t find anything special. The iframe loads fckeditor/editor/fckeditor.html. Opening that file directly produced the same error. I started suspecting Nginx, but it turned out to be neither Nginx nor the editor’s code — it was PHP itself (php-fpm).
Googling «Access Denied» wasn’t easy, but glancing into the error logs I spotted the keyword security.limit_extensions. From the name, this php-fpm.conf option controls which file extensions PHP code is allowed to execute in. Starting with PHP 5.3.9, for security reasons, if this option isn’t specified in the config, PHP only runs in .php files (I don’t know what it was before). FCKEditor wires itself up through PHP in some clever/messy way that ends up executing code in that very fckeditor.html file (even though there’s no PHP code inside — just a long framework setup). That’s why php-fpm was returning «Access Denied».
Fix: in php-fpm.conf, or better, in the pool .conf file (something like /etc/php-fpm/pulls/mysite.conf), add this line:
security.limit_extensions = .php .html
That’s the fix. Spent almost an hour and a half tracking it down — without knowing the editor’s code I couldn’t immediately figure out where to dig. So I’ll leave this here. Maybe it’ll save someone else the same trouble.