Preventing args other than list

Markus Jelsma markus.jelsma at openindex.io
Tue Oct 12 01:39:54 MSD 2010


Ah yes, using an regex didn't come to mind. We'll check if it works.

Thanks!

> Hello!
> 
> On Mon, Oct 11, 2010 at 05:08:09PM +0100, Valery Kholodkov wrote:
> > ----- Markus Jelsma <markus.jelsma at openindex.io> wrote:
> > > Hi list,
> > > 
> > > We're having an upstream server that can accept many different
> > > parameters. Most query string parameters can be predefined in the
> > > backend itself but some cannot because they are unpredictable.
> > > 
> > > We'd like to configure our proxy as to only allow a set of parameters
> > > that we want to define in Nginx. Configuring the list in a map seems
> > > easy, but comparing it to the actual query parameters seems hard.
> > > 
> > > I know how i can test on availability of parameters by using
> > > $args_PARAMETER and the if directive. But just as in the backend, we
> > > wan't to inverse the list.  We need to define what IS allowed, not wat
> > > ISN'T allowed.
> > > 
> > > Any suggestions on how to procede?
> > 
> > The only solution I know that doesn't require low level coding is build
> > in perl.
> 
> I believe apropriate checks may be easily written with regexp,
> e.g. this one will allow only arg1 and arg2 arguments:
> 
>    if ($args !~ "^(((arg1|arg2)=[^&;]*)([&;]+((arg1|arg2)=[^&;]*))*)?$") {
>        return 403;
>    }
> 
> ("?:" omitted for clarity)
> 
> The only downside that it uses "if", which is known to be evil
> (http://wiki.nginx.org/IfIsEvil).  Though this one is safe even in
> location context as it uses "return".
> 
> Maxim Dounin
> 
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://nginx.org/mailman/listinfo/nginx



More information about the nginx mailing list