Help secure my location block

Abhi abhi at littlewiki.in
Sat Jun 13 18:33:47 UTC 2015


I have files that are served by the backend web app at 
|/xxx/File?file=yyy.png|. These files are stored at |/storage/files| on 
the server. So, I wrote a location block to serve these files from 
storage directly from the web server.

Here is my first take:

|location /xxx/File {
     if ($request_method = POST ) {
         proxy_pass http://backend;
     }

     alias /storage/files/;
     try_files $arg_file =404;

}
|

The issue is I can do something like |/xxx/File?file=../../etc/foo.bar| 
and nginx will serve the foo.bar file for me. So, I switched to this 
following:

|location /xxx/File {
     if ($request_method = POST ) {
         proxy_pass http://backend;
     }
     if ($arg_file ~ \.\.) { return 403; }
     alias /storage/files/$arg_file;

}
|

Can someone point me to any corner cases that can be exploited and what 
is the best practice for situations like these?

--
Abhi

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20150614/e7683c95/attachment.html>


More information about the nginx mailing list