Nginx: Use $args sec filtering only in the extended config [#2667210]

The nginx configuration causes any URL with a ";" to be 403 (access denied). This is a bit over-zealous, considering buggy email readers will convert an ampersand (&) to &.

http/Provision/Config/Nginx/server.tpl.php

map $args $is_denied {
default '';
- ~*delete.+from|insert.+into|select.+from|union.+select|onload|\.php.+src|system\(.+|document\.cookie|\;|\.\. is_denied;
+ ~*delete.+from|insert.+into|select.+from|union.+select|onload|\.php.+src|system\(.+|document\.cookie|\.\. is_denied;
}

Comment	File	Size	Author
#2	0001-Issue-2667210-relax-zealous-security-checks-allow-se.patch	956 bytes	bgm

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

Comment #1

11 February 2016 at 19:39

bgm created an issue. See original summary.

Comment #2

bgm CreditAttribution: bgm commented 11 February 2016 at 19:40

Status:

Active

» Needs review

File	Size
0001-Issue-2667210-relax-zealous-security-checks-allow-se.patch	956 bytes

patch

Comment #3

omega8cc CreditAttribution: omega8cc commented 15 February 2016 at 18:17

It is here by design. Removing protection like this is not a solution, though, if you don't like it. We should perhaps move the configuration which depends on this regex to <?php if ($nginx_config_mode == 'extended'): ?>

###
### Deny listed requests for security reasons.
###
if ($is_denied) {
  return 403;
}

Comment #4

omega8cc CreditAttribution: omega8cc commented 15 February 2016 at 18:21

Title:	nginx over-zealous filter causes 403	» Nginx: Use $args sec filtering only in the extended config
Assigned:	Unassigned	» omega8cc
Category:	Bug report	» Feature request
Status:	Needs review	» Needs work

Comment #5

omega8cc CreditAttribution: omega8cc commented 15 February 2016 at 18:25

Assigned:	omega8cc	» Unassigned
Status:	Needs work	» Fixed

Change committed.

Comment #6

bgm CreditAttribution: bgm commented 15 February 2016 at 19:26

I think it's debatable for the ";" in URLs, but the fix you committed in provision works for me, and I do appreciate that the nginx configuration comes with "batteries included".

Comment #7

omega8cc CreditAttribution: omega8cc commented 16 February 2016 at 19:26

Most of the time the ";" in URLs (args) is a malicious attempt to trick the server into downloading and executing some evil code. The "buggy email readers" problem is a very low price for this protection, and thus the protection shouldn't be removed, but of course it belongs to the 'extended' config mode.

Thanks for bringing this to our attention!