URL encoding and other hackery
Igor Sysoev
is at rambler-co.ru
Sun Feb 17 20:40:47 MSK 2008
On Sat, Feb 16, 2008 at 08:44:00PM -0800, Adam Doppelt wrote:
> Hi. First, let me just say that I love nginx. Thanks for creating and
> maintaining it - we appreciate it.
>
> I am using nginx as the front end to a rails cluster. When rails
> generates a page I write the page to disk, where nginx can look for it
> later. I want to use something like this:
>
> if (-f $document_root/$uri)
You should use $request_filename instead: - it's "$document_root$uri".
However, $request_filename correctly handle "root" as "alias".
> But I anticipate a few problems:
>
> 1) the uri might include ".." or similar hackery
> 2) the uri might include query parameters
$uri and $request_filename does not contains query parameters.
The query parameters are available via $args or $query_string (the later
is for compatibilty with Apache).
> That leads to my questions:
>
> 1) Does nginx validate incoming uris? Will it strip out ".."?
Yes, nginx processes various /./, /../ in clear and escaped form,
and does not allow to to below URI's root.
> 2) Can I URL encode a variable?
I do not understand the question.
--
Igor Sysoev
http://sysoev.ru/en/
More information about the nginx
mailing list