[Bug] X-Accel-Redirect

Maxim Dounin mdounin at mdounin.ru
Sat Oct 16 21:18:08 MSD 2010


[sorry for long delay, I had no time to review the patch]

On Sun, Oct 03, 2010 at 10:11:58AM -0400, rovervr wrote:

> This is the last version of the patch for version 0.8.52 which is now
> live on our production servers for several days without any flaws. 
> http://www.coderain.de/nginx/nginx-0.8.52-xred.patch
> The escaping takes place at ngx_http_parse_unsafe_uri() as Maxim
> suggested. 


This patch is wrong.  It will unescape query string as well, which 
is expected to remain escaped.  Additionaly, at least "../" unsafe 
check should be reconsidered after unescaping.

Maxim Dounin

More information about the nginx mailing list