Welcome! Log In Create A New Profile

Advanced

Re: Encoded slashes in URL with proxy = trouble?

September 09, 2011 11:08AM
On Fri, Sep 09, 2011 at 10:47:10AM -0400, François Beausoleil wrote:
> Hi!
>
> Nginx is in front of the RabbitMQ management extension. Some of the URLs the extension generates contain en embedded slash character (%2F):
>
> http://somehost/#/queues/%2F/events
>
> The encoded slash represents the vhost I want to get information about. I found an older ServerFault question with no answer[1], and was wondering if any of you had a way to let Nginx pass through the encoded slash?
>
> Thanks!
> François
>
> [1] http://serverfault.com/questions/289188/nginx-passenger-encoded-slash

First, I'm not sure that browser sends to a server anything after
hash character "#", since hash mean fragment on page.

As to enconded slash, nginx normalizes URI, it decodes all characters
so "/queues/%2F/events" becames "/queues///events" and then it merges
all slashes, "/./", and "/../" to test URI against locations.
Otherwise, anyone can request something like "/%2E%2E%2E../../etc/passwd"
to get files out of server control. Or to get source text of the script
files instead of executing then.

If you want to pass unchanged request to backend, you can use just
backend name without slash in proxy_pass:

location /queues/ {
proxy_pass http://backend;
}

i.e.,

- proxy_pass http://backend/;
+ proxy_pass http://backend;


--
Igor Sysoev

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Subject Author Posted

Encoded slashes in URL with proxy = trouble?

François Beausoleil September 09, 2011 10:48AM

Re: Encoded slashes in URL with proxy = trouble?

Igor Sysoev September 09, 2011 11:08AM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 82
Record Number of Users: 8 on December 15, 2016
Record Number of Guests: 386 on August 02, 2016
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready