Strange rewrite_by_lua outcome

Nginx User nginx at nginxuser.net
Mon Oct 17 04:50:34 UTC 2011


On 17 October 2011 07:47, Nginx User <nginx at nginxuser.net> wrote:
> On 17 October 2011 03:55, agentzh <agentzh at gmail.com> wrote:
>> On Mon, Oct 17, 2011 at 4:11 AM, Nginx User <nginx at nginxuser.net> wrote:
>>>
>>> This produces a 500 Internal server error instead:
>>> #GET /submit_links/
>>> rewrite_by_lua '
>>>        local request_uri = ngx.re.match(ngx.var.request_uri,
>>> "\:|\[|\]|\-\-|\@|\^|\{|\}|\~|\<|\>|\.\.|\+\+|//|\%0|\%A|\%B|\%C|\%D|\%E|\%F|\%22|\%27|\%28|\%29|\%3C|\%3E|\%5C|\%7B|\%7C|\%7D|select(\s*)\(|convert(\s*)\(|/query/|function\.|remoteFile|servername|\&rptmode\=|/\(null\)/|(maincore|authorize|macromates|head_auth|submit_links|change_action|admin_db_utilities|admin\.webring\.docs|Table/Latest/index)\.|w00t|MNG/LIVE|/x[0-9][0-9]|\\x[0-9][0-9]|/(cgi|https?)/|\.css\(|\)\+|/\,/|\{0\}|eval\(|\_vti\_|\(null\)|echo.*kae|function(\.array\-rand|\(\))",
>>> "io")
>>
>> I think you should escape "\" here according to nginx's string literal
>> syntax (you do not need to escape "\" in your previous "if" example
>> because Nginx uses special regex syntax in that regex context. You'll
>> also have to escape the "\" according to Lua string escaping rules
>> too. That is, escaping "\" *twice*.
>>
>>>
>>> Line 62: "23388#0: *258 Failed to load Lua inlined code: [string
>>> "rewrite_by_lua"]:24: ')' expected near '|', client: xx.xxx.xx.xx,
>>> server: testsite.com, request: "GET /submit_links HTTP/1.1", host:
>>> "testsite.com""
>>> http://pastebin.com/XYNwEciX
>>>
>>
>> The error message indicates a Lua syntax error in your Lua source
>> code. A quick solution to this is to put your code into a separate
>> .lua file and use rewrite_by_lua_file instead such that you do not
>> have to escape "\" twice (once for Nginx string escaping rules and
>> another for Lua string escaping rules).
>>
>> Here's an example:
>>    # nginx.conf
>>    location /foo {
>>        rewrite_by_lua 'ngx.re.match("\\\\d+", ngx.var.uri)';  # we're
>> using \d+ here but requires twice escaping
>>    }
>>
>> And to use external .lua file:
>>
>>    # nginx.conf
>>    location /foo {
>>        rewrite_by_lua_file conf/my.lua;
>>    }
>>
>>    # conf/my.lua
>>    ngx.re.match("\\d+", ngx.var.uri)
>>
>> We can see that in the first example, we need to escape "\" for Nginx
>> string literals (so it becomes "\\") and then escape each of these two
>> back-slashes again according for Lua string literals and thus got
>> "\\\\" at last.
>>
>> But in the second example, we only need to esacpe "\" once according
>> to Lua string literal syntax, which is a bit better looking :)
>>
>> This gotcha is documented in ngx_lua's wiki page here:
>>
>>    http://wiki.nginx.org/HttpLuaModule#ngx.re.match
>
> I'll use the rewrite module for this regex since it works as is and
> try to understand the issue later.
>
> Thanks.
>

BTW this works fine even though it has "\":

local query_string = ngx.re.match(ngx.var.request_uri,
"((php|sql)-?my-?admin/|my-?(php|sql)-?admin|(php|sql)-?manager)|(_vpi|xAou6|db_name|clientrequest|option_value|sys_cpanel|db_connect|doeditconfig|check_proxy|system_user|spaw2|prx2|thisdoesnotexist|proxyjudge1|ImpEvData|proxydeny|base64|crossdomain|localhost|wwwroot|mosconfig|scanner|proc/self/environ)|\.(outcontrol|rdf|XMLHTTP|cgi|asp|aspx|cfg|dll|exe|jsp|mdb|sql|ini|rar|inc|dll)|(/admin/sqlpatch\.php/password_forgotten\.php\?action=execute)|etc/passwd|/manager/html",
"io")
if query_string then
	ngx.exit(ngx.HTTP_FORBIDDEN)
end

Haven't read the gotcha link yet to understand the intricacies yet though.

Cheers.



More information about the nginx mailing list