Strange rewrite_by_lua outcome
Nginx User
nginx at nginxuser.net
Sun Oct 16 20:11:44 UTC 2011
This works produces a 403 Forbidden error as expected:
#GET /submit_links/
if ($request_uri ~*
\:|\[|\]|\-\-|\@|\^|\{|\}|\~|\<|\>|\.\.|\+\+|//|\%0|\%A|\%B|\%C|\%D|\%E|\%F|\%22|\%27|\%28|\%29|\%3C|\%3E|\%5C|\%7B|\%7C|\%7D|select(\s*)\(|convert(\s*)\(|/query/|function\.|remoteFile|servername|\&rptmode\=|/\(null\)/|(maincore|authorize|macromates|head_auth|submit_links|change_action|admin_db_utilities|admin\.webring\.docs|Table/Latest/index)\.|w00t|MNG/LIVE|/x[0-9][0-9]|\\x[0-9][0-9]|/(cgi|https?)/|\.css\(|\)\+|/\,/|\{0\}|eval\(|\_vti\_|\(null\)|echo.*kae|function(\.array\-rand|\(\))
) {
return 403;
}
This produces a 500 Internal server error instead:
#GET /submit_links/
rewrite_by_lua '
local request_uri = ngx.re.match(ngx.var.request_uri,
"\:|\[|\]|\-\-|\@|\^|\{|\}|\~|\<|\>|\.\.|\+\+|//|\%0|\%A|\%B|\%C|\%D|\%E|\%F|\%22|\%27|\%28|\%29|\%3C|\%3E|\%5C|\%7B|\%7C|\%7D|select(\s*)\(|convert(\s*)\(|/query/|function\.|remoteFile|servername|\&rptmode\=|/\(null\)/|(maincore|authorize|macromates|head_auth|submit_links|change_action|admin_db_utilities|admin\.webring\.docs|Table/Latest/index)\.|w00t|MNG/LIVE|/x[0-9][0-9]|\\x[0-9][0-9]|/(cgi|https?)/|\.css\(|\)\+|/\,/|\{0\}|eval\(|\_vti\_|\(null\)|echo.*kae|function(\.array\-rand|\(\))",
"io")
if request_uri then
ngx.exit(ngx.HTTP_FORBIDDEN)
end
';
Line 62: "23388#0: *258 Failed to load Lua inlined code: [string
"rewrite_by_lua"]:24: ')' expected near '|', client: xx.xxx.xx.xx,
server: testsite.com, request: "GET /submit_links HTTP/1.1", host:
"testsite.com""
http://pastebin.com/XYNwEciX
More information about the nginx
mailing list