location regular expression not filtering some characters
CM Fields
cmfileds at gmail.com
Tue Jun 19 18:07:49 UTC 2012
On Tue, Jun 19, 2012 at 2:01 PM, Maxim Dounin <mdounin at mdounin.ru> wrote:
> Hello!
>
> On Tue, Jun 19, 2012 at 11:46:32AM -0400, CM Fields wrote:
>
>> I am looking to filter all characters other then those specified in the
>> "location" regular expression. For example, [\w.]+$ should only allow one or
>> more letters, numbers, underscore and period just like [a-zA-Z0-9_.]
>>
>> location ~* ^/data/[\w.]+$ {...}
>>
>> When I test the url with wget I find the pound (#) and question mark (?) are
>> allowed through. For example...
>>
>> This URL is valid and is allowed through
>> wget "http://example.com/data/1234.txt"
>>
>> This URL with the additional "#" should not be allowed thorugh, but it is.
>> wget "http://example.com/data/12#34.txt"
>>
>> Adding a question mark also gets through when it is supposed to be blocked like
>> the pound "#" above.
>> wget "http://example.com/data/12?34.txt"
>>
>>
>> Are pound (#) and questions mark (?) matches being overridden in Nginx and thus
>> getting past my regular expression?
>
> They aren't part of data matched by locations. The "#" character
> denotes frament identifier (and normally not sent to a http server
> at all), and the "?" character denotes query string start.
>
> The "#" and "?" characters will be only seen by location matching
> if they are sent escaped, i.e. as a part of uri path component,
> not as a syntax construct.
>
>> Does anyone know of a way to block the "#" or "?" that I am missing?
>
> It's not clear what you are trying to block. If you want to
> reject all requests with fragments and query strings, you probably
> want to use the "if" directive instead.
>
> Maxim Dounin
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
Maxim,
Thanks for the response. I completely agree with your statement. I was
looking to
filter the URI with the location directive, but using an If {} was the
proper method.
Thanks again.
More information about the nginx
mailing list