Preventing args other than list

Maxim Dounin mdounin at
Mon Oct 11 20:34:38 MSD 2010


On Mon, Oct 11, 2010 at 05:08:09PM +0100, Valery Kholodkov wrote:

> ----- Markus Jelsma <markus.jelsma at> wrote:
> > Hi list,
> > 
> > We're having an upstream server that can accept many different parameters. Most 
> > query string parameters can be predefined in the backend itself but some cannot 
> > because they are unpredictable.
> > 
> > We'd like to configure our proxy as to only allow a set of parameters that we 
> > want to define in Nginx. Configuring the list in a map seems easy, but comparing 
> > it to the actual query parameters seems hard.
> > 
> > I know how i can test on availability of parameters by using $args_PARAMETER 
> > and the if directive. But just as in the backend, we wan't to inverse the 
> > list.  We need to define what IS allowed, not wat ISN'T allowed.
> > 
> > Any suggestions on how to procede?
> The only solution I know that doesn't require low level coding is build in perl.

I believe apropriate checks may be easily written with regexp, 
e.g. this one will allow only arg1 and arg2 arguments:

   if ($args !~ "^(((arg1|arg2)=[^&;]*)([&;]+((arg1|arg2)=[^&;]*))*)?$") {
       return 403;

("?:" omitted for clarity)

The only downside that it uses "if", which is known to be evil 
(  Though this one is safe even in 
location context as it uses "return".

Maxim Dounin

More information about the nginx mailing list