location regular expression not filtering some characters

Francis Daly francis at daoine.org
Tue Jun 19 18:32:55 UTC 2012

On Tue, Jun 19, 2012 at 02:05:10PM -0400, CM Fields wrote:

Hi there,

> We can add a question mark and anything we want to after that and it will be
> passed to your back end or script.
>   http://example.com/data/1234.txt?some_text../../../%del table%

By default, yes; because that's (presumably) the usual case.

But you decide, in nginx.conf, exactly what gets passed to your back
end or script.

Presumably you use proxy_pass or fastcgi_pass or some similar directive
to send data to your back end. It should be possible to configure that
directive to send what you want, and not to send what you don't want.

$uri and $request_uri are different variables; possibly you can use one
of those to achieve what you want.

> I am interested if this is an expected result. My concern is that the regex
> I specified is being silently ignored. Should Nginx respect the user
> configuration
> and deny access to the URL with the question mark in it?

I suspect this is just down to a different understanding of what the nginx
config is doing. The "location" directive only tries to match from the
first / after the hostname, to just before the first ? or #. (Within that
range, it matches the unescaped url.)

If you care about anything after that, you have to handle it separately.

All the best,

Francis Daly        francis at daoine.org

More information about the nginx mailing list