header handling

Maxim Dounin mdounin at mdounin.ru
Mon Aug 17 11:31:53 UTC 2015


Hello!

On Sat, Aug 15, 2015 at 12:15:47AM -0700, Frank Liu wrote:

> I made the below patch and can now use $upstream_http_x_header for
> logformat to capture the header X.header in the access log. Does anybody
> see any issues with the patch?
> 
> --- src/http/ngx_http_variables.c.orig 2015-08-15 02:19:31.635328112 +0000
> 
> +++ src/http/ngx_http_variables.c 2015-08-15 02:19:42.051541422 +0000
> 
> @@ -897,6 +897,8 @@
> 
> 
> 
>              } else if (ch == '-') {
> 
>                  ch = '_';
> 
> +            } else if (ch == '.') {
> 
> +                ch = '_';
> 
>              }

Such approach will likely result in security problems, as 
"X.header" and "X-header" would be indistinguishable from nginx 
point of view.

-- 
Maxim Dounin
http://nginx.org/



More information about the nginx mailing list