See https://github.com/aegir-project/provision/blob/7.x-3.x/http/Provision/C...
Aegir's nginx config is blocking requests containing .. in the query string and I'm trying to figure out why. The comment says "for security reasons" but doesn't say what this actually mitigates.

I need to allow requests with this string in order to use Google's OpenID Connect implementation. The oauth redirect request from Google contains a session_state query parameter with .. in it.

If we can find out what this is trying to mitigate I can hopefully rewrite the regexp to be more specific rather than removing that check completely.

CommentFileSizeAuthor
#5 2841717-5.patch606 bytesJamesK

Comments

JamesK created an issue. See original summary.

memtkmcc’s picture

memtkmcc commented
Status: Active » Closed (works as designed)

It has been added to prevent directory traversal attacks. Examples:

http://www.cvedetails.com/cve/CVE-2009-3898/
https://www.coresecurity.com/content/nginx-encoded-directory-trasversal-...

memtkmcc’s picture

memtkmcc commented

Feel free to re-open if you think you can suggest a patch without opening security holes.

JamesK’s picture

JamesK commented
Assigned: Unassigned » JamesK
Status: Closed (works as designed) » Active

If that's the case, wouldn't it work better to filter ../ instead?

JamesK’s picture

JamesK commented
Status: Active » Needs review
StatusFileSize
new 2841717-5.patch606 bytes
memtkmcc’s picture

memtkmcc commented

Makes sense, thanks!

  • memtkmcc committed 07654de on 7.x-3.x authored by JamesK 
    Issue #2841717 by JamesK: Why block nginx requests with a pair of...
memtkmcc’s picture

memtkmcc commented
Assigned: JamesK » Unassigned
Status: Needs review » Fixed

Patch committed, thank you!

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.