Commit Graph

9 Commits (6b90ca820f5244fd88e8b407419da359d5d068b9)

Author SHA1 Message Date
sebres ed22ddbbbb Merge remote-tracking branch 'remotes/gh-upstream/master' into 0.10 2018-01-17 16:42:56 +01:00
sebres 63e906b2c1 regex rewritten: a bit fewer vulnerable now and using non-capturing groups, test-cases extended in order to cover trying of injection on user name 2018-01-17 16:35:32 +01:00
Benedikt Seidl fed6c49c2d nginx-http-auth: match usernames with spaces
# Conflicts:
#	ChangeLog
2018-01-17 16:35:31 +01:00
sebres ab0ac2111c added possibility to specify more precise default date pattern:
- `datepattern = {^LN-BEG}` - only line-begin anchored default patterns
     (matches date only at begin of line, or with max distance up to 2 non-alphanumeric characters from line-begin);
  - `datepattern = {*WD-BEG}` - only word-begin anchored default patterns;
  - `datepattern = ^prefix{DATE}suffix` - exact specified default patterns (using prefix and suffix);
common filter configs gets a more precise, line-begin anchored (datepattern = {^LN-BEG}) resp. custom anchoring default date-patterns;
2016-10-17 11:18:30 +02:00
Yaroslav Halchenko 5bccec61e4 ENH: adding pruned with previous merge trailing \s* in nginx filter 2014-04-03 21:31:46 -04:00
Yung-Chin Oei 941a38ea8e nginx-http-auth: match when "referrer" is present
A sample log-line is provided.  The updated regex successfully matches
this line.

Signed-off-by: Yung-Chin Oei <yungchin@yungchin.nl>
2014-04-04 01:27:39 +01:00
yungchin 6e8c1b2871 nginx-http-auth filter: match server_name = ""
As documented at
http://nginx.org/en/docs/http/server_names.html#miscellaneous_names "If
no server_name is defined in a server block then nginx uses the empty
name as the server name."  This regex change allows us to match error
output for such a configuration.

The log line added to the tests was lifted from our logs verbatim; it
did not match without the patched regex.

Signed-off-by: Yung-Chin Oei <yungchin@yungchin.nl>
2014-04-03 11:04:21 +01:00
Yaroslav Halchenko ac061155f0 BF: anchor introduced nginx-http-auth at the end
needed since request probably could be not a correct HTTP statement but continue with
all those to match till the end and then injected ", client: VICTIM, server..." thus allowing
injection.  We better anchor at the end then
2013-11-08 14:40:52 -08:00
Daniel Black a148d35d70 ENH: add filter.d/nginx-http-auth. Partially forfills #405 2013-11-08 10:06:40 +11:00