limit_rate dynamically using $arg - security

shoshomiga nginx-forum at nginx.us
Thu Apr 5 15:06:32 UTC 2012


Maxim Dounin Wrote:
-------------------------------------------------------
> Hello!
> 
> On Thu, Apr 05, 2012 at 07:26:06AM -0400,
> shoshomiga wrote:
> 
> > Jonathan Matthews Wrote:
> >
> --------------------------------------------------
> -----
> > > On 4 April 2012 21:40, shoshomiga
> > > <nginx-forum at nginx.us> wrote:
> > > > I've been looking for a way to limit videos
> to
> > > their bitrate to save
> > > > bandwidth and I've come up with this code
> > > >
> > > >            if ($arg_LIMITSPEED) {
> > > >              set $limit_rate
> > > $arg_LIMITSPEED;
> > > >            }
> > > >
> > > > It works but I would like to know if this
> code
> > > would be secure to use on
> > > > a production server.
> 
> [...]
> 
> > By security I meant vulnerability to buffer
> overflows and other exploits
> > since limit_rate is probably not meant to
> recieve that kind of
> > unsanitized input.
> 
> It should be safe.  Note though that it will log
> error if there 
> are invalid values passed, which may in turn be
> used as a DoS 
> vector.
> 
> To be on safe side, I would recommend sanitizing
> the input, e.g. 
> with map{}.  Something like this should work:
> 
>     map $arg_speed $speed {
>         default 64k;
>         64k     64k;
>         128k    128k;
>         256k    256k;
>     }
> 
>     ...
> 
>     set $limit_rate $speed;

Is there a way to typecast to int instead?

map{} won't give me enough flexibility and it would probably be slower
than a typecast.

Posted at Nginx Forum: http://forum.nginx.org/read.php?2,224950,224974#msg-224974



More information about the nginx mailing list