Set location based on query arg

Francis Daly francis at daoine.org
Fri Nov 11 08:41:40 UTC 2016


On Fri, Nov 11, 2016 at 08:30:06AM +0000, Francis Daly wrote:
> On Thu, Nov 10, 2016 at 06:46:10PM -0500, ulik wrote:

Hi there,

> >     # root when path query arg is present
> >     if ($arg_path) {
> >         root /var/www/example/$arg_path;
> >     }

> You can use "map" to set a variable, and then use that variable in the
> "root" directive. That way you can avoid trying to have "root" within
> "if".

Be aware that using user-controlled values in important config is not
often a good thing.

A request for

  /passwd?path=../../../../../etc

might return some content that you would prefer it did not, for example.

It would be better to have a list of the allowed paths, or at least the
allowed path patterns, and write the map so that "root" only ends up
with values that you expect.

So - make the default value be "default"; and then only use $arg_path
if it (for example) is only letters.

Cheers,

	f
-- 
Francis Daly        francis at daoine.org



More information about the nginx mailing list