Strange rewrite_by_lua outcome
Tim Mensch
tim-nginx at bitgems.com
Mon Oct 17 05:03:45 UTC 2011
On 10/16/2011 10:50 PM, Nginx User wrote:
>
> BTW this works fine even though it has "\":
>
> local query_string = ngx.re.match(ngx.var.request_uri,
> "((php|sql)-?my-?admin/|my-?(php|sql)-?admin|(php|sql)-?manager)|(_vpi|xAou6|db_name|clientrequest|option_value|sys_cpanel|db_connect|doeditconfig|check_proxy|system_user|spaw2|prx2|thisdoesnotexist|proxyjudge1|ImpEvData|proxydeny|base64|crossdomain|localhost|wwwroot|mosconfig|scanner|proc/self/environ)|\.(outcontrol|rdf|XMLHTTP|cgi|asp|aspx|cfg|dll|exe|jsp|mdb|sql|ini|rar|inc|dll)|(/admin/sqlpatch\.php/password_forgotten\.php\?action=execute)|etc/passwd|/manager/html","io")
You're just doing "\." in that line. If Nginx strips that "\", then it
ends up in Lua as ".", which changes the meaning but will happen to work
in most cases (though it would match sqlpatch_php and other similar
strings, and not just sqlpatch.php, since the "." will be the wildcard).
Tim
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20111016/cb5ed323/attachment.html>
More information about the nginx
mailing list