Merge pull request #6 from 174001602/master

patch 20200119 修正url 白名单为强匹配防止利用绕过
2020-01-19 21:32:50 +08:00 · 2020-01-19 21:32:50 +08:00 · 782aca99cd
parent b56fa24cee fd566bd0e2
commit 782aca99cd
1 changed files with 14 additions and 2 deletions
--- a/init.lua
+++ b/init.lua
@ -49,8 +49,20 @@ function white_url_check()
        local REQ_URI = string.lower(ngx.var.request_uri)
        if URL_WHITE_RULES ~= nil then
            for _,rule in pairs(URL_WHITE_RULES) do
-                if rule ~= "" and rulematch(REQ_URI,string.lower(rule),"jo") then
-                    return true
+                if rule ~= "" then
+                    local REQ_URI_LEN = string.len(REQ_URI)
+                    local rule_str = string.sub(rule,1,2)
+                    local from, to, err = rulematch(REQ_URI,string.lower(rule),"jo")
+                    if rule_str == "\\." then
+                        local wfrom, wto, werr = rulematch(unescape(REQ_URI),"%?","jo")
+                        if from and REQ_URI_LEN == to and wfrom == nil then
+                            return true
+                        end
+                    elseif from and rule_str == "\\/" and from == 1 then
+                        return true
+                    elseif from and from == 2 then
+                        return true
+                    end
                end
            end
        end