Opened 11 years ago
Closed 11 years ago
#163 closed enhancement (wontfix)
Nginx cache and dotdot
|Reported by:||Kevin Fernandez||Owned by:||somebody|
nginx version: nginx/0.7.67
TLS SNI support enabled
configure arguments: --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-log-path=/var/log/nginx/access.log --http-proxy-temp-path=/var/lib/nginx/proxy --lock-path=/var/lock/nginx.lock --pid-path=/var/run/nginx.pid --with-debug --with-http_dav_module --with-http_flv_module --with-http_geoip_module --with-http_gzip_static_module --with-http_realip_module --with-http_stub_status_module --with-http_ssl_module --with-http_sub_module --with-ipv6 --with-mail --with-mail_ssl_module --add-module=/root/nginx-0.7.67/modules/nginx-upstream-fair
It would be great to have a setting to forbid caching with ../ chars (and encoded ones).
If we cache /images/ requests, someone would assume only those requests to the images folder are cached and may forget to remove cookies in requests and set-cookie in replies.
Of course it's possible to block it by ourselves either on nginx by checking for those chars or by forbidding caching on everything less the /images folder on the backend..
Just thought i would suggest this because i find it dangerous..
(i have 0.7 but tested on 1.2 too)
Change History (2)
comment:1 by , 11 years ago
comment:2 by , 11 years ago
|Status:||new → closed|
There is a request normalization in place which will prevent "/images/../" from matching "location /images/", see http://nginx.org/r/location. It was developed exactly to handle such and similar cases.
My example is like GET /images/../index.php or
You have an htaccess in /superprivate/
Someone is logged in there, and you send him the link /images/../superprivate/ or /images/../superprivate/private.txt
This will cache it in nginx, and we can retrieve the cache without auth
The /images/../ trick works in Konqueror, i don't know if it's possible in other browsers with some tricks..
Doesn't work if we use the right headers in the backend.. But does everybody know it is possible to do that? I don't think everybody sets it right on the backend..