Default nginx configuration allows downloading un-whitelisted php files as plain text

[andrewkett]

Using nginx.conf.sample as nginx config, if new php files are added under the pub directory they are downloaded as plain text.

This isn't really a problem with a default install but if custom php files are added without modifying nginx it is potentially a security issue.

[davidalger]

Addressed in PR #2318. Closing as duplicate