Strange rewrite_by_lua outcome

Tim Mensch tim-nginx at
Mon Oct 17 05:03:45 UTC 2011

On 10/16/2011 10:50 PM, Nginx User wrote:
> BTW this works fine even though it has "\":
> local query_string =,
> "((php|sql)-?my-?admin/|my-?(php|sql)-?admin|(php|sql)-?manager)|(_vpi|xAou6|db_name|clientrequest|option_value|sys_cpanel|db_connect|doeditconfig|check_proxy|system_user|spaw2|prx2|thisdoesnotexist|proxyjudge1|ImpEvData|proxydeny|base64|crossdomain|localhost|wwwroot|mosconfig|scanner|proc/self/environ)|\.(outcontrol|rdf|XMLHTTP|cgi|asp|aspx|cfg|dll|exe|jsp|mdb|sql|ini|rar|inc|dll)|(/admin/sqlpatch\.php/password_forgotten\.php\?action=execute)|etc/passwd|/manager/html","io")

You're just doing "\." in that line. If Nginx strips that "\", then it
ends up in Lua as ".", which changes the meaning but will happen to work
in most cases (though it would match sqlpatch_php and other similar
strings, and not just sqlpatch.php, since the "." will be the wildcard).

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the nginx mailing list