Argument Delimiter

[dakanji]

Hi.

I have a PHP application that uses ";" to delimit GET arguments as in "/index.php?a=1;b=2". It seems that get I run ngx.req.get_uri_args, this gets passed as a single argument "a=1;b=2" instead of two, "a=1" and "b=2".

Using ngx_lua to filter inputs, I am getting many false positives because of this. Is it possible to tell the app to consider other delimiters apart from "&" as it is in PHP?

Thanks

[agentzh]

On Wed, Jan 4, 2012 at 6:03 PM, dakanji
[email protected]
wrote:

I have a PHP application that uses ";" to delimit GET arguments as in "/index.php?a=1;b=2". It seems that get I run ngx.req.get_uri_args, this gets passed as a single argument "a=1;b=2" instead of two, "a=1" and "b=2".

Using ngx_lua to filter inputs, I am getting many false positives because of this. Is it possible to tell the app to consider other delimiters apart from "&" as it is in PHP?

How about providing a config directive to control this on the location
level or server level? For instance,

location / {
    lua_query_arg_separator ";";
    ...
}

But only one character delimiter is supported due to performance
reasons. Will that work for you?

Thanks!
-agentzh

[dakanji]

Hi.

That will be a big improvement for me although it would be far better if it could be an additional delimiter to "&" rather than a an override/replacement.

As said though, a replacement would still be great.

Thanks

[agentzh]

On Wed, Jan 4, 2012 at 9:59 PM, dakanji
[email protected]
wrote:

Hi.

That will be a big improvement for me although it would be far better if it could be an additional delimiter to "&" rather than a an override/replacement.

As said though, a replacement would still be great.

Okay, I'll make lua_arg_separators accept multiple characters:

lua_arg_separator ";&";

Then both "&" and ";" will be honored as query string separators. Do
you like it?

Best,
-agentzh

[agentzh]

On Wed, Jan 4, 2012 at 10:14 PM, agentzh [email protected] wrote:

Okay, I'll make lua_arg_separators accept multiple characters:

   lua_arg_separator ";&";

Sorry, it should be in the plural form:

lua_arg_separators ";&";

Regards,
-agentzh

[dakanji]

Do I like it? I am doing cartwheels in anticipation!!

I take it that it goes without saying that you will handle the fact that "&" is the default.

I suppose there are two approaches:

1. For the directive to define additional delimiters to "&"
2. For the directive to override the default "&" which would be used if the directive is absent.

Seems you are going for #2 which I suppose is more flexible.

[agentzh]

On Wed, Jan 4, 2012 at 10:21 PM, dakanji
[email protected]
wrote:

1. For the directive to define additional delimiters to "&"
2. For the directive to override the default "&" which would be used if the directive is absent.

Seems you are going for #2 which I suppose is more flexible.

Yeah, I meant #2 :)

Will you provide a patch for it? ;)

Regards,
-agentzh

[dakanji]

I would when I go beyond "Hello World" in my "C" programing. Maybe sometime before December if things go well :)

[agentzh]

On Wed, Jan 4, 2012 at 10:30 PM, dakanji
[email protected]
wrote:

I would when I go beyond "Hello World" in my "C" programing. Maybe sometime before December if things go well :)

Heh. I'll look into this by this weekend. I have something else to do
in the next two days :)

Regards,
-agentzh

[dakanji]

Not making much progress in learning 'C' ... so still waiting :)

[dakanji]

Managed to work around this PITA with the following

rewrite_by_lua '
local oldURI = ngx.unescape_uri(ngx.var.request_uri)
local flag = ngx.re.match(oldURI, ";", "io")
if flag then
local newURI, _ = ngx.re.gsub(oldURI, ";", "&", "io")
return ngx.redirect(newURI, ngx.HTTP_MOVED_PERMANENTLY)
end
';

Love the flexibility of the module!

[dakanji]

Unfortunately, the solution posted is fine for GET requests but is playing havoc with POST requests.

[dakanji]

This variant seems to work better.

Handles POST request using location.capture

rewrite_by_lua '
local oldURI = ngx.unescape_uri(ngx.var.request_uri)
local flag = ngx.re.match(oldURI, ";", "io")
if flag then
local newURI, _ = ngx.re.gsub(oldURI, ";", "&")
if ngx.var.request_method == "POST" then
ngx.req.read_body()
local postargs = ngx.req.get_post_args()
res = ngx.location.capture(
newURI,
{
method = ngx.HTTP_POST,
args = postargs
}
)
ngx.print(res.body)
ngx.exit(ngx.HTTP_OK)
else
return ngx.redirect(newURI, ngx.HTTP_MOVED_PERMANENTLY)
end
end
';

Leaving the issue open as the best answer will be something within the module itself. Also raised a ticket on additional delimiters with the main team.

Fingers crossed!

EDIT: Doesn't work as expected in all cases.

[jayce-jia]

@agentzh Hey, Yichun.

Any progress on this feature? I encountered the same problem in some old systems.

I assume all the reserved characters in RFC3986 should be able to be configured as parameter delimiters.

Thanks!

[dakanji]

Guess it's about time to close this one down!