I've removed the lines from this page instructing users to set the php configuration parameter cgi.fix-pathinfo=0
In summary, within the context of Nginx and php-fpm the best(?) way to handle potential PATH_INFO vulnerabilities as described in those articles is to use the default behaviour of php-fpm, i.e. within,
security.limit_extensions = .php
Either way will work just fine, but this is one step less with no real down sides...
I want to propose to add the information how to get Nginx working in MAMP.
For MAMP add the following two Lines on the Nginx settings page for »Additional parameters ...«
rewrite ^/(.*)/(.*\.php)(/)(.*)$ /$1/$2?file=/$4 last; rewrite ^/(.*\.php)(/)(.*)$ /$1?file=/$3 last;