On Fri, Nov 11, 2016 at 08:30:06AM +0000, Francis Daly wrote:
> On Thu, Nov 10, 2016 at 06:46:10PM -0500, ulik wrote:

Hi there,

> > # root when path query arg is present
> > if ($arg_path) {
> > root /var/www/example/$arg_path;
> > }

> You can use "map" to set a variable, and then use that variable in the
> "root" directive. That way you can avoid trying to have "root" within
> "if".

Be aware that using user-controlled values in important config is not
often a good thing.

A request for

/passwd?path=../../../../../etc

might return some content that you would prefer it did not, for example.

It would be better to have a list of the allowed paths, or at least the
allowed path patterns, and write the map so that "root" only ends up
with values that you expect.

So - make the default value be "default"; and then only use $arg_path
if it (for example) is only letters.

Cheers,

f
--
Francis Daly francis@daoine.org

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx