[Bug] X-Accel-Redirect
Maxim Dounin
mdounin at mdounin.ru
Sat Oct 16 21:18:08 MSD 2010
Hello!
[sorry for long delay, I had no time to review the patch]
On Sun, Oct 03, 2010 at 10:11:58AM -0400, rovervr wrote:
> This is the last version of the patch for version 0.8.52 which is now
> live on our production servers for several days without any flaws.
>
> http://www.coderain.de/nginx/nginx-0.8.52-xred.patch
>
> The escaping takes place at ngx_http_parse_unsafe_uri() as Maxim
> suggested.
s/escaping/unescaping/
This patch is wrong. It will unescape query string as well, which
is expected to remain escaped. Additionaly, at least "../" unsafe
check should be reconsidered after unescaping.
Maxim Dounin
More information about the nginx
mailing list