ngx_lua location capture issue
agentzh
agentzh at gmail.com
Fri Oct 21 04:13:30 UTC 2011
On Fri, Oct 21, 2011 at 12:08 PM, agentzh <agentzh at gmail.com> wrote:
>> local query_string = ngx.re.match(ngx.var.request_uri,
>> "(?:^>[\\\w\\\s]*<\\\/?\\\w{2,}>)", "io")
>> -- finds unquoted attribute breaking injections -- xss -- csrf
>> -- <impact>2</impact>
BTW, it's bad practice to match against $request_uri directly because
query strings may be escaped according to URI escaping rules. (Yes!
there's escaping everywhere!)
For example, Forefox will escape "<a>3</a>" into "a=%3Ca%3E3%3C/a%3E",
which will surely never be matched by the regexes used here.
You can try ngx.unescape_uri to preprocess the $request_uri thing first, see:
http://wiki.nginx.org/HttpLuaModule#ngx.unescape_uri
Good luck!
-agentzh
More information about the nginx
mailing list