id	summary	reporter	owner	description	type	status	priority	milestone	component	version	resolution	keywords	cc	uname	nginx_version
374	Nginx not detecting malformed percent encoding in query string	Colin Matthias		"When serving a request with bad percent encoding in the path portion of the URL, nginx returns a 400 Bad Request error. Example: 

{{{

$ curl -v ""http://localhost/%RRfoo.html""

* About to connect() to localhost port 80 (#0)
*   Trying ::1... Connection refused
*   Trying 127.0.0.1... connected
* Connected to localhost (127.0.0.1) port 80 (#0)
> GET /%RRfoo.html HTTP/1.1
> User-Agent: curl/7.21.7 (x86_64-redhat-linux-gnu) libcurl/7.21.7 NSS/3.13.3.0 zlib/1.2.5 libidn/1.22 libssh2/1.2.7
> Host: localhost
> Accept: */*
>
< HTTP/1.1 400 Bad Request
< Server: nginx/1.2.6
< Date: Tue, 11 Jun 2013 16:50:39 GMT
< Content-Type: text/html
< Content-Length: 172
< Connection: close

}}}

However, when the bad percent encoding is in the query portion of the URL, nginx fails to detect this condition and passes the bad URL along to our web framework/stack (in this case, Passenger/Rack/Rails), where it throws a 500 Internal Server Error:

{{{

$ curl -v ""http://localhost/?q=%RRfoo.html""
* About to connect() to localhost port 80 (#0)
*   Trying ::1... Connection refused
*   Trying 127.0.0.1... connected
* Connected to localhost (127.0.0.1) port 80 (#0)
> GET /?q=%RRfoo.html HTTP/1.1
> User-Agent: curl/7.21.7 (x86_64-redhat-linux-gnu) libcurl/7.21.7 NSS/3.13.3.0 zlib/1.2.5 libidn/1.22 libssh2/1.2.7
> Host: localhost
> Accept: */*
>
< HTTP/1.1 500 Internal Server Error
< Content-Type: text/html; charset=utf-8
< Content-Length: 728
< Connection: keep-alive
< Status: 500
< X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 3.0.19
< X-Request-Id: 4a9549a1fa73eedf39c4264ceed95fff
< X-Runtime: 0.148903
< Date: Tue, 11 Jun 2013 16:52:29 GMT
< X-Rack-Cache: pass
< Server: nginx/1.2.6 + Phusion Passenger 3.0.19

}}}

This inconsistency is causing issues in our app. Per RFC 3986, section 3.4 (http://tools.ietf.org/html/rfc3986#section-3.4) I would expect the query portion of the URL to be treated the same as the path for the purposes of percent encoding.

Note that this occurs on our 1.2.6 installation of nginx, but making the same requests to http://nginx.org, which appears to be running 1.5.0, produces the same results."	defect	closed	minor		nginx-core	1.2.x	wontfix			Linux mvweb1 3.3.6-3.fc16.x86_64 #1 SMP Wed May 16 21:43:01 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux	"nginx version: nginx/1.2.6
built by gcc 4.6.3 20120306 (Red Hat 4.6.3-2) (GCC)
TLS SNI support enabled
configure arguments: --prefix=/opt/nginx --with-http_ssl_module --with-http_gzip_static_module --with-cc-opt=-Wno-error --with-pcre=/tmp/root-passenger-21941/pcre-8.31 --add-module=/usr/local/rvm/gems/ruby-1.9.3-p392/gems/passenger-3.0.19/ext/nginx"