Opened 10 years ago

Closed 10 years ago

#614 closed defect (wontfix)

nginx eats "%25" from URL

Reported by: Owned by:
Priority: minor Milestone:
Component: nginx-core Version: 1.6.x
Keywords: Cc:
uname -a: Linux myhostname 2.6.32-531.17.1.lve1.2.60.el6.x86_64 #1 SMP Tue Jul 8 11:25:32 EDT 2014 x86_64 x86_64 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.6.1
built by gcc 4.4.7 20120313 (Red Hat 4.4.7-3) (GCC)
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/ --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-http_auth_request_module --with-mail --with-mail_ssl_module --with-file-aio --with-ipv6 --with-http_spdy_module --with-cc-opt='-O2 -g -pipe -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic'


'%25' in URL gets decoded by nginx-1.6.1 as empty string, '%25%25' gets decoded as single '%' character. Currently we solved this issue by downgrading to nginx-1.4.7.

Related line from the error log:

2014/08/25 15:49:28 [error] 658511#0: *41842 open() "/home/username/public_html/external_c/ardent/%32/326/" failed (2: No such file or directory), client: xx.xx.xx.xx, server: , request: "GET /external_c/ardent/%25%2532/326/ HTTP/1.1", upstream: "http://xx.xx.xx.xx:81/external_c/ardent/%25%2532/326/", host: ""

Change History (2)

comment:1 by, 10 years ago

Note that URL is passed to nginx by apache via X-Accel-Redirect header.

comment:2 by Maxim Dounin, 10 years ago

Resolution: wontfix
Status: newclosed

Starting with nginx 1.5.9, nginx expects escaped URIs in X-Accel-Redirect, see CHANGES:

Changes with nginx 1.5.9                                         22 Jan 2014

    *) Change: now nginx expects escaped URIs in "X-Accel-Redirect" headers.


See ticket #316 for some background info on why the change was made (notably, it wasn't possible to return files with the "?" in the name using X-Accel-Redirect). You have to change your backend code accordingly, to return escaped URIs in X-Accel-Redirect headers.

Note: See TracTickets for help on using tickets.