Opened 6 years ago

Closed 6 years ago

#670 closed defect (invalid)

%0a. routing bypass

Reported by: Adam Surak Owned by:
Priority: major Milestone:
Component: nginx-core Version: 1.6.x
Keywords: Cc:
uname -a: Linux c5-eu-3.algolia.io 3.10.23-xxxx-std-ipv6-64 #1 SMP Tue Mar 18 14:48:24 CET 2014 x86_64 x86_64 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.6.2
built by gcc 4.8.2 (Ubuntu 4.8.2-19ubuntu1)
TLS SNI support enabled
configure arguments: --with-http_stub_status_module --with-http_gzip_static_module --with-http_ssl_module --add-module=../../algolia --add-module=../headers-more-nginx-module-0.22 --with-ipv6

Description

Hello,

I have noticed in my logs a following issue:

.pl" failed (2: No such file or directory), client: 37.187.28.218, server: apieu1.algolia.com, request: "GET /cgi.cgi/scripts/*%0a.pl HTTP/1.0", host: "***"
2014/11/22 20:33:38 [error] 8963#0: *24802 open() "/home/prod/prod/config/html/webcgi/scripts/*
.pl" failed (2: No such file or directory), client: 37.187.28.218, server: apieu1.algolia.com, request: "GET /webcgi/scripts/*%0a.pl HTTP/1.0", host: "***"
2014/11/22 20:33:38 [error] 8963#0: *24803 open() "/home/prod/prod/config/html/cgi-914/scripts/*
.pl" failed (2: No such file or directory), client: 37.187.28.218, server: apieu1.algolia.com, request: "GET /cgi-914/scripts/*%0a.pl HTTP/1.0", host: "***"
2014/11/22 20:33:38 [error] 8963#0: *24804 open() "/home/prod/prod/config/html/cgi-915/scripts/*
.pl" failed (2: No such file or directory), client: 37.187.28.218, server: apieu1.algolia.com, request: "GET /cgi-915/scripts/*%0a.pl HTTP/1.0", host: "***"
2014/11/22 20:33:38 [error] 8963#0: *24805 open() "/home/prod/prod/config/html/bin/scripts/*
.pl" failed (2: No such file or directory), client: 37.187.28.218, server: apieu1.algolia.com, request: "GET /bin/scripts/*%0a.pl HTTP/1.0", host: "***"
2014/11/22 20:33:38 [error] 8963#0: *24806 open() "/home/prod/prod/config/html/cgi/scripts/*
.pl" failed (2: No such file or directory), client: 37.187.28.218, server: apieu1.algolia.com, request: "GET /cgi/scripts/*%0a.pl HTTP/1.0", host: "***"
2014/11/22 20:33:38 [error] 8963#0: *24807 open() "/home/prod/prod/config/html/mpcgi/scripts/*
.pl" failed (2: No such file or directory), client: 37.187.28.218, server: apieu1.algolia.com, request: "GET /mpcgi/scripts/*%0a.pl HTTP/1.0", host: "***"
2014/11/22 20:33:38 [error] 8963#0: *24808 open() "/home/prod/prod/config/html/cgi-bin/scripts/*
.pl" failed (2: No such file or directory), client: 37.187.28.218, server: apieu1.algolia.com, request: "GET /cgi-bin/scripts/*%0a.pl HTTP/1.0", host: "***"
2014/11/22 20:33:38 [error] 8963#0: *24809 open() "/home/prod/prod/config/html/ows-bin/scripts/*
.pl" failed (2: No such file or directory), client: 37.187.28.218, server: apieu1.algolia.com, request: "GET /ows-bin/scripts/*%0a.pl HTTP/1.0", host: "***"
2014/11/22 20:33:38 [error] 8963#0: *24810 open() "/home/prod/prod/config/html/cgi-sys/scripts/*
.pl" failed (2: No such file or directory), client: 37.187.28.218, server: apieu1.algolia.com, request: "GET /cgi-sys/scripts/*%0a.pl HTTP/1.0", host: "***"
2014/11/22 20:33:38 [error] 8963#0: *24811 open() "/home/prod/prod/config/html/cgi-local/scripts/*
.pl" failed (2: No such file or directory), client: 37.187.28.218, server: apieu1.algolia.com, request: "GET /cgi-local/scripts/*%0a.pl HTTP/1.0", host: "***"
2014/11/22 20:33:38 [error] 8963#0: *24812 open() "/home/prod/prod/config/html/htbin/scripts/*
.pl" failed (2: No such file or directory), client: 37.187.28.218, server: apieu1.algolia.com, request: "GET /htbin/scripts/*%0a.pl HTTP/1.0", host: "***"
2014/11/22 20:33:38 [error] 8963#0: *24813 open() "/home/prod/prod/config/html/cgibin/scripts/*
.pl" failed (2: No such file or directory), client: 37.187.28.218, server: apieu1.algolia.com, request: "GET /cgibin/scripts/*%0a.pl HTTP/1.0", host: "***"
2014/11/22 20:33:38 [error] 8963#0: *24814 open() "/home/prod/prod/config/html/cgis/scripts/*
.pl" failed (2: No such file or directory), client: 37.187.28.218, server: apieu1.algolia.com, request: "GET /cgis/scripts/*%0a.pl HTTP/1.0", host: "***"
2014/11/22 20:33:38 [error] 8963#0: *24815 open() "/home/prod/prod/config/html/scripts/scripts/*
.pl" failed (2: No such file or directory), client: 37.187.28.218, server: apieu1.algolia.com, request: "GET /scripts/scripts/*%0a.pl HTTP/1.0", host: "***"
2014/11/22 20:33:38 [error] 8963#0: *24816 open() "/home/prod/prod/config/html/cgi-win/scripts/*
.pl" failed (2: No such file or directory), client: 37.187.28.218, server: apieu1.algolia.com, request: "GET /cgi-win/scripts/*%0a.pl HTTP/1.0", host: "***"
2014/11/22 20:33:38 [error] 8963#0: *24817 open() "/home/prod/prod/config/html/fcgi-bin/scripts/*
.pl" failed (2: No such file or directory), client: 37.187.28.218, server: apieu1.algolia.com, request: "GET /fcgi-bin/scripts/*%0a.pl HTTP/1.0", host: "***"
2014/11/22 20:33:38 [error] 8963#0: *24818 open() "/home/prod/prod/config/html/cgi-exe/scripts/*
.pl" failed (2: No such file or directory), client: 37.187.28.218, server: apieu1.algolia.com, request: "GET /cgi-exe/scripts/*%0a.pl HTTP/1.0", host: "***"
2014/11/22 20:33:38 [error] 8963#0: *24819 open() "/home/prod/prod/config/html/cgi-home/scripts/*
.pl" failed (2: No such file or directory), client: 37.187.28.218, server: apieu1.algolia.com, request: "GET /cgi-home/scripts/*%0a.pl HTTP/1.0", host: "***"
2014/11/22 20:33:38 [error] 8963#0: *24820 open() "/home/prod/prod/config/html/cgi-perl/scripts/*

My nginx.conf allows:

/1/
/_
/ - redirect to /1/404

The sequence that triggers this problem is "%0a." in the url. After that nginx starts to look for files on the filesystem.

Change History (4)

comment:1 by Ilyas Bakirov, 6 years ago

Look at ticket #191

comment:2 by Maxim Dounin, 6 years ago

Could you please show some minimal config to reproduce the problem?

in reply to:  2 comment:3 by Adam Surak, 6 years ago

Replying to Maxim Dounin:

Could you please show some minimal config to reproduce the problem?

http {
    client_body_temp_path   "../run/body" 1 2;
    include                 ./mime.types;
    access_log              off;
    error_log               ../run/error.log;

    sendfile       on;
    tcp_nopush     on;

    server_tokens off;

    keepalive_timeout  180;
    client_header_timeout 180;
    client_body_timeout 180;
    reset_timedout_connection on;
    send_timeout       10;
    tcp_nodelay        on;
    
    server {
        listen                  80 backlog=32768;

        server_name             apieu1.algolia.com;
        client_max_body_size    1024M;

        gzip                  on;
        gzip_disable          "msie6";
        gzip_min_length       100;
        gzip_types            *;
        gzip_proxied          any;

        more_set_headers 'Access-Control-Allow-Origin: *';
        more_set_headers 'Access-Control-Allow-Methods: GET, PUT, DELETE, POST, OPTIONS';
        more_set_headers 'Access-Control-Allow-Headers: x-algolia-application-id, connection, origin, x-algolia-api-key, content-type, content-length, x-algolia-signature, x-algolia-usertoken, x-algolia-tagfilters, DNT, X-Mx-ReqToken, Keep-Alive, User-Agent, X-Requested-With, If-Modified-Since, Cache-Control, Authorization, Accept';
        more_set_headers 'Access-Control-Allow-Credentials: false';
        
        location /1/ {
            # omitted
        }
        location = /_ {
           stub_status on;
           access_log   off;
           allow 127.0.0.1;
           deny all;
           break;
        }
        location / {
                rewrite     ^.*$ /1/404 permanent;
        }
    }
}

comment:4 by Maxim Dounin, 6 years ago

Resolution: invalid
Status: newclosed

The problem is in this line:

     rewrite     ^.*$ /1/404 permanent;

It doesn't match unencoded URI as the ^.*$ doesn't match the string with an embedded newline. If you really want to return a redirect for all requests, use a regular expression which matches everything:

     rewrite     ^    /1/404 permanent;

Or, better yet, use the return directive:

    return 301 /1/404;
Note: See TracTickets for help on using tickets.