On Fri, Nov 11, 2016 at 08:30:06AM +0000, Francis Daly wrote:
> On Thu, Nov 10, 2016 at 06:46:10PM -0500, ulik wrote:
Hi there,
> > # root when path query arg is present
> > if ($arg_path) {
> > root /var/www/example/$arg_path;
> > }
> You can use "map" to set a variable, and then use that variable in the
> "root" directive. That way you can avoid trying to have "root" within
> "if".
Be aware that using user-controlled values in important config is not
often a good thing.
A request for
/passwd?path=../../../../../etc
might return some content that you would prefer it did not, for example.
It would be better to have a list of the allowed paths, or at least the
allowed path patterns, and write the map so that "root" only ends up
with values that you expect.
So - make the default value be "default"; and then only use $arg_path
if it (for example) is only letters.
Cheers,
f
--
Francis Daly francis@daoine.org
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx