id summary reporter owner description type status priority milestone component version resolution keywords cc uname nginx_version 348 Excessive urlencode in if-set Petr Messner "Hello, I had setup Apache with mod_dav_svn behind nginx acting as front-end proxy and while commiting a copied file with brackets ([]) in filename into that subversion I found a bug in nginx. How to reproduce it (configuration file is as simple as possible while still causing the bug): {{{ $ cat nginx.conf error_log stderr debug; pid nginx.pid; events { worker_connections 1024; } http { access_log access.log; server { listen 8000; server_name localhost; location / { set $fixed_destination $http_destination; if ( $http_destination ~* ^(.*)$ ) { set $fixed_destination $1; } proxy_set_header Destination $fixed_destination; proxy_pass http://127.0.0.1:8010; } } } $ nginx -p $PWD -c nginx.conf -g 'daemon off;' ... }}} In second terminal window: {{{ $ nc -l 8010 }}} In third terminal window: {{{ $ curl --verbose --header 'Destination: http://localhost:4000/foo%5Bbar%5D.txt' '0:8000/%41.txt' * About to connect() to 0 port 8000 (#0) * Trying 0.0.0.0... * Adding handle: conn: 0x7fa91b00b600 * Adding handle: send: 0 * Adding handle: recv: 0 * Curl_addHandleToPipeline: length: 1 * - Conn 0 (0x7fa91b00b600) send_pipe: 1, recv_pipe: 0 * Connected to 0 (0.0.0.0) port 8000 (#0) > GET /%41.txt HTTP/1.1 > User-Agent: curl/7.30.0 > Host: 0:8000 > Accept: */* > Destination: http://localhost:4000/foo%5Bbar%5D.txt > }}} Back in the second terminal window: {{{ ($ nc -l 8010) GET /%41.txt HTTP/1.0 Destination: http://localhost:4000/foo%255Bbar%255D.txt Host: 127.0.0.1:8010 Connection: close User-Agent: curl/7.30.0 Accept: */* }}} The **problem is** that the Destination header was changed from `...foo%5Bbar%5D.txt` to `...foo%255Bbar%255D.txt`. This happens only when - that `if ( $http_destination ~* ^(.*)$ )` is processed - and URL (HTTP GET URL, not that Destination URL) also contains urlencoded (%41) character(s). In other cases (URL does not contain urlencoded character or that `if` is not matched) the Destination header is proxy_passed untouched, which is expected behavior. ------ Note: Why do I need that `if ( $http_destination ~* ^(.*)$ )`? In this example it is simplified, but for that Subversion setup I have mentioned I need to rewrite the Destination from https to http when nginx proxy_passes from https to Apache over http. This bug also happens on nginx/0.7.67 in Debian Squeeze." defect accepted minor nginx-core rewrite Darwin messamac.local 11.4.2 Darwin Kernel Version 11.4.2: Thu Aug 23 16:25:48 PDT 2012; root:xnu-1699.32.7~1/RELEASE_X86_64 x86_64 "nginx version: nginx/1.4.0 configure arguments: --prefix=/opt/local --with-cc-opt='-I/opt/local/include -O2' --with-ld-opt=-L/opt/local/lib --conf-path=/opt/local/etc/nginx/nginx.conf --error-log-path=/opt/local/var/log/nginx/error.log --http-log-path=/opt/local/var/log/nginx/access.log --pid-path=/opt/local/var/run/nginx/nginx.pid --lock-path=/opt/local/var/run/nginx/nginx.lock --http-client-body-temp-path=/opt/local/var/run/nginx/client_body_temp --http-proxy-temp-path=/opt/local/var/run/nginx/proxy_temp --http-fastcgi-temp-path=/opt/local/var/run/nginx/fastcgi_temp --http-uwsgi-temp-path=/opt/local/var/run/nginx/uwsgi_temp --with-ipv6"