From ed304b22b94aa1ec4c5ac4d5a36467aa0ca02228 Mon Sep 17 00:00:00 2001 From: David Pascual Date: Mon, 27 Feb 2023 15:49:23 +0100 Subject: [PATCH] fix: Normalize location path to avoid multiple forward slashes Fixes: https://github.com/nginxinc/nginx-s3-gateway/issues/88 --- common/etc/nginx/templates/default.conf.template | 7 +++++++ test/integration/test_api.sh | 2 +- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/common/etc/nginx/templates/default.conf.template b/common/etc/nginx/templates/default.conf.template index 24fae2bb..76a4b90b 100644 --- a/common/etc/nginx/templates/default.conf.template +++ b/common/etc/nginx/templates/default.conf.template @@ -30,6 +30,13 @@ server { # information that could be used to find an exploit. server_tokens off; + # Normalize location path. Remove instances of double/multipe forward slashes. + # Disabling merge_slashes is necessary for this feature to work. + # Disabling port redirection to avoid broken URLs in bridged hosts + port_in_redirect off; + merge_slashes off; + rewrite (.*?)//+(.*) $1/$2 redirect; + # Uncomment this for a HTTP header that will let you know the cache status # of an object. # add_header X-Cache-Status $upstream_cache_status; diff --git a/test/integration/test_api.sh b/test/integration/test_api.sh index 1233dbd2..10e4da21 100644 --- a/test/integration/test_api.sh +++ b/test/integration/test_api.sh @@ -153,7 +153,7 @@ assertHttpRequestEquals "HEAD" "a.txt?some=param&that=should&be=stripped#aaah" " assertHttpRequestEquals "HEAD" "b/c/d.txt" "200" assertHttpRequestEquals "HEAD" "b/c/../e.txt" "200" assertHttpRequestEquals "HEAD" "b/e.txt" "200" -assertHttpRequestEquals "HEAD" "b//e.txt" "200" +assertHttpRequestEquals "HEAD" "b//e.txt" "302" assertHttpRequestEquals "HEAD" "a/abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.txt" "200" # We try to request URLs that are properly encoded as well as URLs that