Help secure my location block
Abhi
abhi at littlewiki.in
Sat Jun 13 18:33:47 UTC 2015
I have files that are served by the backend web app at
|/xxx/File?file=yyy.png|. These files are stored at |/storage/files| on
the server. So, I wrote a location block to serve these files from
storage directly from the web server.
Here is my first take:
|location /xxx/File {
if ($request_method = POST ) {
proxy_pass http://backend;
}
alias /storage/files/;
try_files $arg_file =404;
}
|
The issue is I can do something like |/xxx/File?file=../../etc/foo.bar|
and nginx will serve the foo.bar file for me. So, I switched to this
following:
|location /xxx/File {
if ($request_method = POST ) {
proxy_pass http://backend;
}
if ($arg_file ~ \.\.) { return 403; }
alias /storage/files/$arg_file;
}
|
Can someone point me to any corner cases that can be exploited and what
is the best practice for situations like these?
--
Abhi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20150614/e7683c95/attachment.html>
More information about the nginx
mailing list