I find it very unlikely that anyone using nginx does NOT use `set` at least. Most nginx use cases ...

iririririr • today at 6:33 PM • 1 reply • view on HN

I find it very unlikely that anyone using nginx does NOT use `set` at least.

Most nginx use cases are to end tls and then pass the request to node/php/go/etc. So, I bet you have at least one set with attacker controller data on a line like 'proxy_set_header X-Host $host;'

edit: nvm. aparently named captures are not affect. Unless you have a $1 somewhere, it should be fine.

Replies

babuskov • today at 8:06 PM

The default NGINX PHP integration uses this:

    # regex to split $uri to $fastcgi_script_name and $fastcgi_path
    fastcgi_split_path_info ^(.+?\.php)(/.*)$;
    set $path_info $fastcgi_path_info;

alt Hacker News

Replies