ngx_lua location capture issue

agentzh agentzh at gmail.com
Fri Oct 21 04:08:13 UTC 2011


On Fri, Oct 21, 2011 at 12:02 AM, Nginx User <nginx at nginxuser.net> wrote:
> On 20 October 2011 14:48, agentzh <agentzh at gmail.com> wrote:
> Take this regex for example: (?:^>[\w\s]*<\/?\w{2,}>)
>

Good lord!

Why are you using "^" here? Are you meant to match from the very start
of your $request_uri string?

And why are you escaping "/" ? It is *not* a special thing in the
regex syntax that requires escaping.

As years of Perl programmer, I must say your regex here is by no means correct.

> When I use my "incorrect" escaping in access_by_lua file ...
>
>       local query_string = ngx.re.match(ngx.var.request_uri,
> "(?:^>[\\\w\\\s]*<\\\/?\\\w{2,}>)", "io")
>                -- finds unquoted attribute breaking injections -- xss -- csrf
>                -- <impact>2</impact>
>                if query_string then
>                        ngx.exit(ngx.HTTP_BAD_REQUEST)
>                end
>

I'm not meant to help with Perl compatible regex usage, but here's my
working version:

    -- html/foo.lua
    local uri = "<impact>2</impact>"
    local regex = '(?:>[\\w\\s]*</?\\w{2,}>)';
    ngx.say("regex: ", regex)
    m = ngx.re.match(uri, regex, "oi")
    if m then
        ngx.say("[", m[0], "]")
    else
        ngx.say("not matched!")
    end

    # nginx.conf
    location /re {
        access_by_lua_file html/foo.lua;
        content_by_lua return;
    }

GET /re yields

    regex: (?:>[\w\s]*</?\w{2,}>)
    [>2</impact>]

Regards,
-agentzh



More information about the nginx mailing list