Argument Delimiter #77

Open
dakanji opened this Issue Jan 4, 2012 · 12 comments

Comments

Projects
None yet
2 participants

dakanji commented Jan 4, 2012

Hi.

I have a PHP application that uses ";" to delimit GET arguments as in "/index.php?a=1;b=2". It seems that get I run ngx.req.get_uri_args, this gets passed as a single argument "a=1;b=2" instead of two, "a=1" and "b=2".

Using ngx_lua to filter inputs, I am getting many false positives because of this. Is it possible to tell the app to consider other delimiters apart from "&" as it is in PHP?

Thanks

Owner

agentzh commented Jan 4, 2012

On Wed, Jan 4, 2012 at 6:03 PM, dakanji
reply@reply.github.com
wrote:

I have a PHP application that uses ";" to delimit GET arguments as in "/index.php?a=1;b=2". It seems that get I run ngx.req.get_uri_args, this gets passed as a single argument "a=1;b=2" instead of two, "a=1" and "b=2".

Using ngx_lua to filter inputs, I am getting many false positives because of this. Is it possible to tell the app to consider other delimiters apart from "&" as it is in PHP?

How about providing a config directive to control this on the location
level or server level? For instance,

location / {
    lua_query_arg_separator ";";
    ...
}

But only one character delimiter is supported due to performance
reasons. Will that work for you?

Thanks!
-agentzh

dakanji commented Jan 4, 2012

Hi.

That will be a big improvement for me although it would be far better if it could be an additional delimiter to "&" rather than a an override/replacement.

As said though, a replacement would still be great.

Thanks

Owner

agentzh commented Jan 4, 2012

On Wed, Jan 4, 2012 at 9:59 PM, dakanji
reply@reply.github.com
wrote:

Hi.

That will be a big improvement for me although it would be far better if it could be an additional delimiter to "&" rather than a an override/replacement.

As said though, a replacement would still be great.

Okay, I'll make lua_arg_separators accept multiple characters:

lua_arg_separator ";&";

Then both "&" and ";" will be honored as query string separators. Do
you like it?

Best,
-agentzh

Owner

agentzh commented Jan 4, 2012

On Wed, Jan 4, 2012 at 10:14 PM, agentzh agentzh@gmail.com wrote:

Okay, I'll make lua_arg_separators accept multiple characters:

   lua_arg_separator ";&";

Sorry, it should be in the plural form:

lua_arg_separators ";&";

Regards,
-agentzh

dakanji commented Jan 4, 2012

Do I like it? I am doing cartwheels in anticipation!!

I take it that it goes without saying that you will handle the fact that "&" is the default.

I suppose there are two approaches:

  1. For the directive to define additional delimiters to "&"
  2. For the directive to override the default "&" which would be used if the directive is absent.

Seems you are going for #2 which I suppose is more flexible.

Owner

agentzh commented Jan 4, 2012

On Wed, Jan 4, 2012 at 10:21 PM, dakanji
reply@reply.github.com
wrote:

  1. For the directive to define additional delimiters to "&"
  2. For the directive to override the default "&" which would be used if the directive is absent.

Seems you are going for #2 which I suppose is more flexible.

Yeah, I meant #2 :)

Will you provide a patch for it? ;)

Regards,
-agentzh

dakanji commented Jan 4, 2012

I would when I go beyond "Hello World" in my "C" programing. Maybe sometime before December if things go well :)

Owner

agentzh commented Jan 4, 2012

On Wed, Jan 4, 2012 at 10:30 PM, dakanji
reply@reply.github.com
wrote:

I would when I go beyond "Hello World" in my "C" programing. Maybe sometime before December if things go well :)

Heh. I'll look into this by this weekend. I have something else to do
in the next two days :)

Regards,
-agentzh

dakanji commented May 26, 2012

Not making much progress in learning 'C' ... so still waiting :)

dakanji commented Sep 23, 2012

Managed to work around this PITA with the following

rewrite_by_lua '
local oldURI = ngx.unescape_uri(ngx.var.request_uri)
local flag = ngx.re.match(oldURI, ";", "io")
if flag then
local newURI, _ = ngx.re.gsub(oldURI, ";", "&", "io")
return ngx.redirect(newURI, ngx.HTTP_MOVED_PERMANENTLY)
end
';

Love the flexibility of the module!

dakanji closed this Sep 23, 2012

dakanji reopened this Sep 28, 2012

dakanji commented Sep 28, 2012

Unfortunately, the solution posted is fine for GET requests but is playing havoc with POST requests.

dakanji commented Sep 28, 2012

This variant seems to work better.

Handles POST request using location.capture

rewrite_by_lua '
local oldURI = ngx.unescape_uri(ngx.var.request_uri)
local flag = ngx.re.match(oldURI, ";", "io")
if flag then
local newURI, _ = ngx.re.gsub(oldURI, ";", "&")
if ngx.var.request_method == "POST" then
ngx.req.read_body()
local postargs = ngx.req.get_post_args()
res = ngx.location.capture(
newURI,
{
method = ngx.HTTP_POST,
args = postargs
}
)
ngx.print(res.body)
ngx.exit(ngx.HTTP_OK)
else
return ngx.redirect(newURI, ngx.HTTP_MOVED_PERMANENTLY)
end
end
';

Leaving the issue open as the best answer will be something within the module itself. Also raised a ticket on additional delimiters with the main team.

Fingers crossed!

EDIT: Doesn't work as expected in all cases.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment