I have files that are served by the backend web app at
|/xxx/File?file=yyy.png|. These files are stored at |/storage/files| on
the server. So, I wrote a location block to serve these files from
storage directly from the web server.
Here is my first take:
|location /xxx/File {
if ($request_method = POST ) {
proxy_pass http://backend;
}
alias /storage/files/;
try_files $arg_file =404;
}
|
The issue is I can do something like |/xxx/File?file=…/…/etc/foo.bar|
and nginx will serve the foo.bar file for me. So, I switched to this
following:
|location /xxx/File {
if ($request_method = POST ) {
proxy_pass http://backend;
}
if ($arg_file ~ ..) { return 403; }
alias /storage/files/$arg_file;
}
|
Can someone point me to any corner cases that can be exploited and what
is the best practice for situations like these?