ngx_lua location capture issue
Nginx User
nginx at nginxuser.net
Thu Oct 20 16:02:39 UTC 2011
On 20 October 2011 14:48, agentzh <agentzh at gmail.com> wrote:
> As I said, try using external .lua file and
> content/rewrite/access/set_by_lua_file to avoid nginx string escaping
> issues.
Understood. However, when I follow your instructions on this, things
fail. They seem to work my way.
Take this regex for example: (?:^>[\w\s]*<\/?\w{2,}>)
When I use my "incorrect" escaping in access_by_lua file ...
local query_string = ngx.re.match(ngx.var.request_uri,
"(?:^>[\\\w\\\s]*<\\\/?\\\w{2,}>)", "io")
-- finds unquoted attribute breaking injections -- xss -- csrf
-- <impact>2</impact>
if query_string then
ngx.exit(ngx.HTTP_BAD_REQUEST)
end
... the debug log entry is ....
[debug] 24803#0: *154 lua regex cache miss for match regex
"(?:^>[\w\s]*<\/?\w{2,}>)" with options "io"
[debug] 24803#0: *154 lua compiling match regex
"(?:^>[\w\s]*<\/?\w{2,}>)" with options "io" (compile once: 1)
[debug] 24803#0: *154 lua saving compiled regex (0 captures) into the
cache (entries 6)
[debug] 24803#0: *154 regex "(?:^>[\w\s]*<\/?\w{2,}>)" not matched on
string "/trackip/?searchip=213.162.113.89" starting from 0
I.E. the match regex, "(?:^>[\w\s]*<\/?\w{2,}>)" is the same as the original.
I don't know why, but it works and the "correct" escaping does not.
So I'm sticking with this until I start to see problems.
Cheers.
More information about the nginx
mailing list