ngx_lua location capture issue
agentzh
agentzh at gmail.com
Fri Oct 21 04:08:13 UTC 2011
On Fri, Oct 21, 2011 at 12:02 AM, Nginx User <nginx at nginxuser.net> wrote:
> On 20 October 2011 14:48, agentzh <agentzh at gmail.com> wrote:
> Take this regex for example: (?:^>[\w\s]*<\/?\w{2,}>)
>
Good lord!
Why are you using "^" here? Are you meant to match from the very start
of your $request_uri string?
And why are you escaping "/" ? It is *not* a special thing in the
regex syntax that requires escaping.
As years of Perl programmer, I must say your regex here is by no means correct.
> When I use my "incorrect" escaping in access_by_lua file ...
>
> local query_string = ngx.re.match(ngx.var.request_uri,
> "(?:^>[\\\w\\\s]*<\\\/?\\\w{2,}>)", "io")
> -- finds unquoted attribute breaking injections -- xss -- csrf
> -- <impact>2</impact>
> if query_string then
> ngx.exit(ngx.HTTP_BAD_REQUEST)
> end
>
I'm not meant to help with Perl compatible regex usage, but here's my
working version:
-- html/foo.lua
local uri = "<impact>2</impact>"
local regex = '(?:>[\\w\\s]*</?\\w{2,}>)';
ngx.say("regex: ", regex)
m = ngx.re.match(uri, regex, "oi")
if m then
ngx.say("[", m[0], "]")
else
ngx.say("not matched!")
end
# nginx.conf
location /re {
access_by_lua_file html/foo.lua;
content_by_lua return;
}
GET /re yields
regex: (?:>[\w\s]*</?\w{2,}>)
[>2</impact>]
Regards,
-agentzh
More information about the nginx
mailing list