merge_slashes and decoding of the path

Maxim Dounin mdounin at mdounin.ru
Mon Nov 25 17:08:02 UTC 2013 

Hello!

On Mon, Nov 25, 2013 at 10:44:15AM -0600, Jason Barnabe wrote:

> On my site, I accept full URL-encoded URLs as part of the path, for example:
> 
> http://www.mysite.com/search/http%3A%2F%2Fexample.com%2F
> 
> I recently moved my site to nginx and I found that it was decoding and
> collapsing the slashes before passing it on to Passenger. It would pass
> along the URL like this: http://www.mysite.com/search/http:/example.com/
> 
> I found the merge_slashes setting, and on setting it to off, Passenger now
> receives URLs like this: http://www.mysite.com/search/http://example.com/ .
> So the slashes are kept, but the path is still decoded. The nginx
> documentation [1] says "However, for security considerations, it is better
> to avoid turning the compression off."
> 
> What are the security considerations here?

Example of a vulnerable configuration is given in the directive 
description you've linked (http://nginx.org/r/merge_slashes):

: Note that compression is essential for the correct matching of 
: prefix string and regular expression locations. Without it, the 
: “//scripts/one.php” request would not match
: 
: location /scripts/ {
:     ...
: }
: and might be processed as a static file. So it gets converted to 
: “/scripts/one.php”.

That is, with merge_slashes switched off, restrictions like

    location /protected/ {
        deny all;
    }

can be easily bypassed by using a request to "//protected/file".  
It should be taken into account while writing a configuration for 
a server with merge_slashes switched off.

> Why does nginx not allow the
> encoded slashes to be passed through (like Apache does[2]), and if it did
> so, would that negate the security concerns?

While not decoding slashes is probably a better than not merging 
them, it's not really a good aproach either.  This way, the 

    http://www.mysite.com/search/http%3A%2F%2Fexample.com%2F

URL becomes equivalent to

    http://www.mysite.com/search/http%3A%252F%252Fexample.com%252F

which isn't really consistent and may produce unexpected results.

-- 
Maxim Dounin
http://nginx.org/en/donation.html

More information about the nginx mailing list