Maxim Dounin
April 05, 2012 10:46AM
Hello!

On Thu, Apr 05, 2012 at 07:26:06AM -0400, shoshomiga wrote:

> Jonathan Matthews Wrote:
> -------------------------------------------------------
> > On 4 April 2012 21:40, shoshomiga
> > <nginx-forum@nginx.us> wrote:
> > > I've been looking for a way to limit videos to
> > their bitrate to save
> > > bandwidth and I've come up with this code
> > >
> > >            if ($arg_LIMITSPEED) {
> > >              set $limit_rate
> > $arg_LIMITSPEED;
> > >            }
> > >
> > > It works but I would like to know if this code
> > would be secure to use on
> > > a production server.

[...]

> By security I meant vulnerability to buffer overflows and other exploits
> since limit_rate is probably not meant to recieve that kind of
> unsanitized input.

It should be safe. Note though that it will log error if there
are invalid values passed, which may in turn be used as a DoS
vector.

To be on safe side, I would recommend sanitizing the input, e.g.
with map{}. Something like this should work:

map $arg_speed $speed {
default 64k;
64k 64k;
128k 128k;
256k 256k;
}

...

set $limit_rate $speed;

Maxim Dounin

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Subject Author Posted

limit_rate dynamically using $arg - security

shoshomiga April 04, 2012 04:40PM

Re: limit_rate dynamically using $arg - security

Jonathan Matthews April 04, 2012 05:34PM

Re: limit_rate dynamically using $arg - security

shoshomiga April 05, 2012 07:26AM

Re: limit_rate dynamically using $arg - security

Maxim Dounin April 05, 2012 10:46AM

Re: limit_rate dynamically using $arg - security

shoshomiga April 05, 2012 11:06AM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 259
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready