Nginx doesn't escape unsafe characters on proxying

[ZigzagAK@…]

Example synthetic configuration:

upstream xxxx {
  server 127.0.0.1:3456;
}

server {
  listen 3456;
  location / {
    return 200 '$uri\n$request\n';
  }
}

server {
  listen 2345;
  location / {
    rewrite ^ $uri break;
    proxy_pass http://xxxx;
  }
}

[root@e078281ef0c9 gateway]# curl localhost:3456/xxx/aaa%3C%3E%22
/xxx/aaa<>"
GET /xxx/aaa%3C%3E%22 HTTP/1.1
[root@e078281ef0c9 gateway]# curl localhost:2345/xxx/aaa%3C%3E%22
/xxx/aaa<>"
GET /xxx/aaa<>" HTTP/1.1
[root@e078281ef0c9 gateway]#

tcpdump:

before nginx:

GET /xxx/aaa%3C%3E%22 HTTP/1.1
User-Agent: curl/7.29.0
Host: localhost:2345
Accept: */*

after nginx:

GET /xxx/aaa<>" HTTP/1.1
Connection: keep-alive
Host: localhost:2345
Connection: keep-alive
User-Agent: curl/7.29.0
Accept: */*
X-Forwarded-For: 127.0.0.1
X-Real-IP: 127.0.0.1

Real code is more complicated.

This is cause of error on the backend side:

java.lang.IllegalArgumentException: Invalid character found in the request target [... code:test%23a%3Ft"t%25r]. The valid characters

are defined in RFC 7230 and RFC 3986

​https://datatracker.ietf.org/doc/html/rfc1738#section-2.2

... The characters "<" and ">" are unsafe because they are used as the

delimiters around URLs in free text; the quote mark (""") is used to
delimit URLs in some systems.

All unsafe characters must always be encoded within a URL.

Cause: ​https://github.com/nginx/nginx/blob/master/src/core/ngx_string.c#L1496