Opened 12 years ago

Closed 12 years ago

#163 closed enhancement (wontfix)

Nginx cache and dotdot

Reported by: Kevin Fernandez Owned by: somebody
Priority: minor Milestone:
Component: nginx-core Version: 1.2.x
Keywords: Cc:
uname -a:
nginx -V: nginx version: nginx/0.7.67
TLS SNI support enabled
configure arguments: --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-log-path=/var/log/nginx/access.log --http-proxy-temp-path=/var/lib/nginx/proxy --lock-path=/var/lock/nginx.lock --pid-path=/var/run/ --with-debug --with-http_dav_module --with-http_flv_module --with-http_geoip_module --with-http_gzip_static_module --with-http_realip_module --with-http_stub_status_module --with-http_ssl_module --with-http_sub_module --with-ipv6 --with-mail --with-mail_ssl_module --add-module=/root/nginx-0.7.67/modules/nginx-upstream-fair


It would be great to have a setting to forbid caching with ../ chars (and encoded ones).

If we cache /images/ requests, someone would assume only those requests to the images folder are cached and may forget to remove cookies in requests and set-cookie in replies.

Of course it's possible to block it by ourselves either on nginx by checking for those chars or by forbidding caching on everything less the /images folder on the backend..

Just thought i would suggest this because i find it dangerous..

(i have 0.7 but tested on 1.2 too)


Change History (2)

comment:1 by Kevin Fernandez, 12 years ago

My example is like GET /images/../index.php or
GET /images/../administrator/index.php

Another example:

You have an htaccess in /superprivate/
Someone is logged in there, and you send him the link /images/../superprivate/ or /images/../superprivate/private.txt

This will cache it in nginx, and we can retrieve the cache without auth

The /images/../ trick works in Konqueror, i don't know if it's possible in other browsers with some tricks..

Doesn't work if we use the right headers in the backend.. But does everybody know it is possible to do that? I don't think everybody sets it right on the backend..

comment:2 by Maxim Dounin, 12 years ago

Resolution: wontfix
Status: newclosed

There is a request normalization in place which will prevent "/images/../" from matching "location /images/", see It was developed exactly to handle such and similar cases.

Note: See TracTickets for help on using tickets.