Preventing args other than list
Maxim Dounin
mdounin at mdounin.ru
Mon Oct 11 20:34:38 MSD 2010
Hello!
On Mon, Oct 11, 2010 at 05:08:09PM +0100, Valery Kholodkov wrote:
>
> ----- Markus Jelsma <markus.jelsma at openindex.io> wrote:
> > Hi list,
> >
> > We're having an upstream server that can accept many different parameters. Most
> > query string parameters can be predefined in the backend itself but some cannot
> > because they are unpredictable.
> >
> > We'd like to configure our proxy as to only allow a set of parameters that we
> > want to define in Nginx. Configuring the list in a map seems easy, but comparing
> > it to the actual query parameters seems hard.
> >
> > I know how i can test on availability of parameters by using $args_PARAMETER
> > and the if directive. But just as in the backend, we wan't to inverse the
> > list. We need to define what IS allowed, not wat ISN'T allowed.
> >
> > Any suggestions on how to procede?
>
> The only solution I know that doesn't require low level coding is build in perl.
I believe apropriate checks may be easily written with regexp,
e.g. this one will allow only arg1 and arg2 arguments:
if ($args !~ "^(((arg1|arg2)=[^&;]*)([&;]+((arg1|arg2)=[^&;]*))*)?$") {
return 403;
}
("?:" omitted for clarity)
The only downside that it uses "if", which is known to be evil
(http://wiki.nginx.org/IfIsEvil). Though this one is safe even in
location context as it uses "return".
Maxim Dounin
More information about the nginx
mailing list