On 20 October 2011 14:48, agentzh <agentzh@gmail.com> wrote:
> As I said, try using external .lua file and
> content/rewrite/access/set_by_lua_file to avoid nginx string escaping
> issues.

Understood. However, when I follow your instructions on this, things
fail. They seem to work my way.

Take this regex for example: (?:^>[\w\s]*<\/?\w{2,}>)

When I use my "incorrect" escaping in access_by_lua file ...

local query_string = ngx.re.match(ngx.var.request_uri,
"(?:^>[\\\w\\\s]*<\\\/?\\\w{2,}>)", "io")
-- finds unquoted attribute breaking injections -- xss -- csrf
-- <impact>2</impact>
if query_string then
ngx.exit(ngx.HTTP_BAD_REQUEST)
end

.... the debug log entry is ....

[debug] 24803#0: *154 lua regex cache miss for match regex
"(?:^>[\w\s]*<\/?\w{2,}>)" with options "io"
[debug] 24803#0: *154 lua compiling match regex
"(?:^>[\w\s]*<\/?\w{2,}>)" with options "io" (compile once: 1)
[debug] 24803#0: *154 lua saving compiled regex (0 captures) into the
cache (entries 6)
[debug] 24803#0: *154 regex "(?:^>[\w\s]*<\/?\w{2,}>)" not matched on
string "/trackip/?searchip=213.162.113.89" starting from 0

I.E. the match regex, "(?:^>[\w\s]*<\/?\w{2,}>)" is the same as the original.

I don't know why, but it works and the "correct" escaping does not.

So I'm sticking with this until I start to see problems.

Cheers.

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx