Hi,
Thanks a lot for the insight.
I have checked the order of abc, pqr and xyz and nginx does not proxy_pass.
It does not proxy_pass if it is ab or abcd, instead of abc.
It does not even matching special characters.
That is good, and it is blocking a submission with additional parameters, like
https://x.y.com/?abc=1.2.3.4&pqr=asdf&xyz=123888598&def=123
The client is typically the browser that would make ajax call from anywhere in the Internet, but I do
see someone possibly crafting a payload that could confuse the app running on 127.0.0.1.
Will definitely go through map and will get back.
Appreciate and thanks again, Francis.
tjoseph.
________________________________
From: Francis Daly <francis@daoine.org>
To: nginx@nginx.org
Sent: Saturday, 15 December 2012 2:21 AM
Subject: Re: I want help...
On Sat, Dec 15, 2012 at 04:18:55AM +0800, Thomas Joseph wrote:
Hi there,
it seems to me that the level of application-specific control you are
looking for probably does not belong in a default nginx.conf.
The back-end application is probably the right place to do these checks.
You could try using one of the nginx embedded language modules, which
may provide more features.
Or you could try using the various $arg_* variables in a map --
http://nginx.org/r/map.
> And a valid submission will be https://x.y.com/?abc=1.2.3.4&pqr=asdf&xyz=123888598
Would https://x.y.com/?abc=1.2.3.4&xyz=123888598&pqr=asdf be
invalid? Unless you control the client, you probably don't control
the order.
> abc is numeric, with . in between, and ending in digit(s), think of a uuid like 2.16.840.1.113883
>
> pqr is only alpha, but has 2 choices, asdf or lkjh
>
> xyz is purely numeric
Untested, but something like
map $arg_xyz $xyz_bad {
default 1
~ ^[0-9]+$ 0
}
with similar things for "abc" and "pqr", would set variables that you
could then test for.
if ($xyz_bad) {
return 400 "xyz is wrong"
}
> location / {
> ....
> .....
> if ($args ~ ^((abc=(\d+\.)+(\d+))\&(pqr=(asdf|lkjh))\&(xyz=\d+))$){
> proxy_pass http://127.0.0.1:890/?$1;
> }
>
> Still I can not limit the repetition, like (abc=(\d{3,10})). Seems nginx, does not support {}. Is that true ?
I don't know; but it possibly depends on the regex library found at
compile time.
> And what about "if is evil"
Don't use "if" inside "location" unless you can explain why your usage
is correct. That's the rule I tend to use.
Good luck with it,
f
--
Francis Daly francis@daoine.org
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
