URL encoding and other hackery

Igor Sysoev is at rambler-co.ru
Sun Feb 17 20:40:47 MSK 2008


On Sat, Feb 16, 2008 at 08:44:00PM -0800, Adam Doppelt wrote:

> Hi. First, let me just say that I love nginx. Thanks for creating and 
> maintaining it - we appreciate it.
> 
> I am using nginx as the front end to a rails cluster. When rails 
> generates a page I write the page to disk, where nginx can look for it 
> later. I want to use something like this:
> 
> if (-f $document_root/$uri)

You should use $request_filename instead: - it's "$document_root$uri".
However, $request_filename correctly handle "root" as "alias".

> But I anticipate a few problems:
> 
> 1) the uri might include ".." or similar hackery
> 2) the uri might include query parameters

$uri and $request_filename does not contains query parameters.
The query parameters are available via $args or $query_string (the later
is for compatibilty with Apache).

> That leads to my questions:
> 
> 1) Does nginx validate incoming uris? Will it strip out ".."?

Yes, nginx processes various /./, /../ in clear and escaped form,
and does not allow to to below URI's root.

> 2) Can I URL encode a variable?

I do not understand the question.


-- 
Igor Sysoev
http://sysoev.ru/en/





More information about the nginx mailing list