Welcome! Log In Create A New Profile


Minor "bug" in nginx

April 29, 2009 04:17PM
This is not really a 'bug' I think, but it is something that raises a
security flag, we got dinged on it. Now, it does not appear to
actually execute the proxy request, but it should return something
other than HTTP 200.

[mike@lvs01 ~]$ telnet test.foo.org 80
Connected to test.foo.org.
Escape character is '^]'.
GET http://xmike.com HTTP/1.1
Host: xmike.com

HTTP/1.1 200 OK
Server: nginx
Date: Wed, 29 Apr 2009 20:08:16 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 27
Last-Modified: Tue, 09 Dec 2008 19:54:37 GMT
Connection: keep-alive
Accept-Ranges: bytes


telnet> quit

I don't believe nginx should allow for GET http://someforeignhost/
should it? Is there an actual use model for this?

If so, I would create a configuration parameter to allow remote
connections, or something. Returning an HTTP error with something back
such as:

510 Not Extended
503 Service Unavailable
501 Not Implemented
416 Requested Range Not Satisfiable
415 Unsupported Media Type
406 Not Acceptable
405 Method Not Allowed
403 Forbidden
400 Bad Request

Would be what I would suggest...
Subject Author Posted

Minor "bug" in nginx

mike April 29, 2009 04:17PM

Re: Minor "bug" in nginx

Maxim Dounin April 29, 2009 06:01PM

Re: Minor "bug" in nginx

mike April 29, 2009 06:57PM

Re: Minor "bug" in nginx

mike April 29, 2009 08:23PM

Re: Minor "bug" in nginx

Igor Sysoev April 30, 2009 12:50AM

Re: Minor "bug" in nginx

Maxim Dounin April 29, 2009 08:13PM

Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 103
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 466 on July 09, 2024
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready