ngx_lua location capture issue

Nginx User nginx at nginxuser.net
Fri Oct 21 07:35:21 UTC 2011


On 21 October 2011 07:13, agentzh <agentzh at gmail.com> wrote:
> On Fri, Oct 21, 2011 at 12:08 PM, agentzh <agentzh at gmail.com> wrote:
>>>       local query_string = ngx.re.match(ngx.var.request_uri,
>>> "(?:^>[\\\w\\\s]*<\\\/?\\\w{2,}>)", "io")
>>>                -- finds unquoted attribute breaking injections -- xss -- csrf
>>>                -- <impact>2</impact>
>
> BTW, it's bad practice to match against $request_uri directly because
> query strings may be escaped according to URI escaping rules. (Yes!
> there's escaping everywhere!)
>
> For example, Forefox will escape "<a>3</a>" into "a=%3Ca%3E3%3C/a%3E",
> which will surely never be matched by the regexes used here.
>
> You can try ngx.unescape_uri to preprocess the $request_uri thing first, see:
>
>    http://wiki.nginx.org/HttpLuaModule#ngx.unescape_uri
>
> Good luck!

Thanks for the emails above.  I'll look into tackling the issues
raised in due course.
"/" is escaped because the original regex is from a php application
which uses "/" as a delimiter. I left it in place because the snippet
posted in just a part of the result of a series of "find and replace"
sequences on an xml file
(https://dev.itratos.de/svn/php-ids/trunk/lib/IDS/default_filter.xml)
that changes it to the lua format. "-- <impact>2</impact>" is not the
target but just a hang over from the original xml I couldn't find an
easy find and replace for to cater for all possible "<impact>" tags
and is there as a lua comment.

As said, things are working as expected for me at present in that the
resultant regexes are consistent with the target regexes from the xml
file so I am keeping them as they are. I will change them if/when I
see issues.

In any case, this is just a fallback I put in place when trying to
call the actual application and having just recompiled with rc17, I'll
look into having a go at that again.

Thanks!



More information about the nginx mailing list