On Sat, Jun 20, 2009 at 04:27:58PM +0100, Jools Wills wrote:

> On Thu, 2009-06-18 at 11:41 +0400, Igor Sysoev wrote:
>
> > locaiton ~ ^/~([^/]+)(/?.*)$) { (i changed to location ~ ^/~([^/]+)(/?.*)$ {)
> > alias /home/$1/public_html/$2;
> > autoindex on;
> > }
>
> this works well thanks. Are there any security risks with this? For
> example could it be abused to gain access to another folder by using a
> specific path ?

nginx normilizes ".." in URI, i.e., "/~user/../dir/file" becomes
"/dir/file" and will not match this location.

"/~user/dir/../file" becomes "/~user/file" and will be mapped by "alias"
to "/home/user/public_html/file".


--
Igor Sysoev
http://sysoev.ru/en/