Encoded slashes in URL with proxy = trouble?
Igor Sysoev
igor at sysoev.ru
Fri Sep 9 15:06:57 UTC 2011
On Fri, Sep 09, 2011 at 10:47:10AM -0400, François Beausoleil wrote:
> Hi!
>
> Nginx is in front of the RabbitMQ management extension. Some of the URLs the extension generates contain en embedded slash character (%2F):
>
> http://somehost/#/queues/%2F/events
>
> The encoded slash represents the vhost I want to get information about. I found an older ServerFault question with no answer[1], and was wondering if any of you had a way to let Nginx pass through the encoded slash?
>
> Thanks!
> François
>
> [1] http://serverfault.com/questions/289188/nginx-passenger-encoded-slash
First, I'm not sure that browser sends to a server anything after
hash character "#", since hash mean fragment on page.
As to enconded slash, nginx normalizes URI, it decodes all characters
so "/queues/%2F/events" becames "/queues///events" and then it merges
all slashes, "/./", and "/../" to test URI against locations.
Otherwise, anyone can request something like "/%2E%2E%2E../../etc/passwd"
to get files out of server control. Or to get source text of the script
files instead of executing then.
If you want to pass unchanged request to backend, you can use just
backend name without slash in proxy_pass:
location /queues/ {
proxy_pass http://backend;
}
i.e.,
- proxy_pass http://backend/;
+ proxy_pass http://backend;
--
Igor Sysoev
More information about the nginx
mailing list