zoukankan      html  css  js  c++  java
  • tengine无法解析ssi报错 Nginx: unsafe URI detected while sending response

    Nginx: unsafe URI detected while sending response
    
    现象:# 类似 <!--#include virtual="../library/header.html"--><div id="blog"> html语法无法解析,导致网站头部尾部不能正常展示
    
    <!--#include virtual="library/header.html"--> 可以解析没有问题
    
    
    
    # 代码片段
    <!DOCTYPE html>
    <html>
    <head>
    <meta charset="utf-8">
    <meta name="viewport" content="width=device-width,initial-scale=1.0">
    <link rel="shortcut icon" href="http://blog.chinasoft.com/static/favicon.ico" />
    <title>Influencer Marketing Tips</title>
    <meta name="description" content="Learn more about the helpful influencer marketing tips for your brand, products or business on chinasoft blog center." />
    </head>
    <body>
    
    <!--#include virtual="../library/header.html"--><div id="blog">
      <div>
        <div class="container py-lg-5" style="max-1200px">
          <div class="bg-light rounded py-4 px-5 mx-auto">
    
    网站头部不能加载影响美观
    
    [root@eus_mp_web01:/data/www/vhosts/blog.chinasoft.com/httpdocs/influencer-marketing-tips]# tail -f /data/www/logs/nginx_log/error/blog.com_error.log
    2019/05/28 01:29:53 [error] 5660#0: *1777504 unsafe URI "/influencer-marketing-tips/../library/footer.html" was detected while sending response to client, client: 1.1.1.1, server: blog.chinasoft.com, request: "GET /influencer-marketing-tips/ HTTP/1.1", host: "blog.chinasoft.com"
    2019/05/28 01:29:54 [error] 5660#0: *1777504 open() "/data/www/vhosts/blog.chinasoft.com/httpdocs/static/favicon.ico" failed (2: No such file or directory), client: 1.1.1.1, server: blog.chinasoft.com, request: "GET /static/favicon.ico HTTP/1.1", host: "blog.chinasoft.com", referrer: "https://blog.chinasoft.com/influencer-marketing-tips/"
    2019/05/28 01:31:08 [error] 5659#0: *1777565 unsafe URI "/influencer-marketing-tips/../library/header.html" was detected while sending response to client, client: 1.1.1.1, server: blog.chinasoft.com, request: "GET /influencer-marketing-tips/ HTTP/1.1", host: "blog.chinasoft.com"
    2019/05/28 01:31:08 [error] 5659#0: *1777565 unsafe URI "/influencer-marketing-tips/../library/footer.html" was detected while sending response to client, client: 1.1.1.1, server: blog.chinasoft.com, request: "GET /influencer-marketing-tips/ HTTP/1.1", host: "blog.chinasoft.com"
    2019/05/28 01:31:25 [error] 5660#0: *1777568 unsafe URI "/influencer-marketing-tips/../library/header.html" was detected while sending response to client, client: 1.1.1.1, server: blog.chinasoft.com, request: "GET /influencer-marketing-tips/ HTTP/1.1", host: "blog.chinasoft.com"
    2019/05/28 01:31:25 [error] 5660#0: *1777568 unsafe URI "/influencer-marketing-tips/../library/footer.html" was detected while sending response to client, client: 1.1.1.1, server: blog.chinasoft.com, request: "GET /influencer-marketing-tips/ HTTP/1.1", host: "blog.chinasoft.com"
    2019/05/28 01:34:00 [error] 7513#0: *23 unsafe URI "/influencer-marketing-tips/../library/header.html" was detected while sending response to client, client: 1.1.1.1, server: blog.chinasoft.com, request: "GET /influencer-marketing-tips/ HTTP/1.1", host: "blog.chinasoft.com"
    2019/05/28 01:34:00 [error] 7513#0: *23 unsafe URI "/influencer-marketing-tips/../library/footer.html" was detected while sending response to client, client: 1.1.1.1, server: blog.chinasoft.com, request: "GET /influencer-marketing-tips/ HTTP/1.1", host: "blog.chinasoft.com"
    2019/05/28 01:41:02 [error] 7907#0: *13 unsafe URI "/influencer-marketing-tips/../library/header.html" was detected while sending response to client, client: 1.1.1.1, server: blog.chinasoft.com, request: "GET /influencer-marketing-tips/ HTTP/1.1", host: "blog.chinasoft.com"
    2019/05/28 01:41:02 [error] 7907#0: *13 unsafe URI "/influencer-marketing-tips/../library/footer.html" was detected while sending response to client, client: 1.1.1.1, server: blog.chinasoft.com, request: "GET /influencer-marketing-tips/ HTTP/1.1", host: "blog.chinasoft.com"
    
    2019/05/28 01:41:26 [error] 7905#0: *28 unsafe URI "/influencer-marketing-tips/../library/header.html" was detected while sending response to client, client: 1.1.1.1, server: blog.chinasoft.com, request: "GET /influencer-marketing-tips/ HTTP/1.1", host: "blog.chinasoft.com"
    2019/05/28 01:41:26 [error] 7905#0: *28 unsafe URI "/influencer-marketing-tips/../library/footer.html" was detected while sending response to client, client: 1.1.1.1, server: blog.chinasoft.com, request: "GET /influencer-marketing-tips/ HTTP/1.1", host: "blog.chinasoft.com"
    
    关于Nginx的SSI(包含路径)
    如果shtml里面的网页代码包含语句写成如下: 
    <!--#include virtual="/test.html"-->
    这样是没有问题,可以包含的,但是如果写成这样:
    
    <!--#include virtual="../test.html"-->
    由于需要包含当前代码文件所在目录路径的上级目录文件,nginx会为此请求产生的子请求uri为/../test.html,默认nginx会认为这个uri并不是安全的,日志(error_log)会输入如下错误:
    
    2019/05/28 01:29:53 [error] 5660#0: *1777504 unsafe URI "/influencer-marketing-tips/../library/footer.html" was detected while sending response to client, client: 1.1.1.1, server: blog.chinasoft.com, request: "GET /influencer-marketing-tips/ HTTP/1.1", host: "blog.chinasoft.com"
    
    不能正确包含文件,页面会输出[an error occurred while processing the directive],解决方法是找到nginx源代码目录的unsafe uri检查函数并强制使其返回一个NGX_OK
    
    # 解决办法:
    
    # 修改源文件tengine-2.2.3/src/http/ngx_http_parse.c
    # 找到ngx_http_parse_unsafe_uri 函数,直接返回 NGX_OK
    
    ngx_http_parse_unsafe_uri(ngx_http_request_t *r, ngx_str_t *uri,
        ngx_str_t *args, ngx_uint_t *flags)
    {
        return NGX_OK;            # 新增return NGX_OK;
        u_char      ch, *p, *src, *dst;
        size_t      len;
        ngx_uint_t  quoted;
    
        len = uri->len;
        p = uri->data;
        quoted = 0;
    
        if (len == 0 || p[0] == '?') {
            goto unsafe;
        }
    
        if (p[0] == '.' && len > 1 && p[1] == '.'
            && (len == 2 || ngx_path_separator(p[2])))
        {
            goto unsafe;
        }
    
        for ( /* void */ ; len; len--) {
    
            ch = *p++;
    
            if (ch == '%') {
                quoted = 1;
                continue;
            }
    
            if (usual[ch >> 5] & (1 << (ch & 0x1f))) {
                continue;
            }
    
            if (ch == '?') {
                args->len = len - 1;
                args->data = p;
                uri->len -= len;
    
                break;
            }
    
    
    # 重新编译即可
    
    ./configure --prefix=/usr/local/tengine-2.2.3_ssi --with-ld-opt=-Wl,-rpath, --user=daemon --group=daemon --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_xslt_module --with-http_sub_module --with-http_stub_status_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gzip_static_module --with-http_geoip_module --with-http_secure_link_module --with-http_degradation_module --with-mail_ssl_module --with-http_sysguard_module --with-http_concat_module --with-pcre=/usr/local/lab/pcre-8.34 --with-zlib=/usr/local/lab/zlib-1.2.11 --add-module=/usr/local/lab/ngx_cache_purge-2.3 --with-jemalloc --with-http_upstream_check_module --with-http_lua_module --with-luajit-lib=/usr/local/lib/ --with-luajit-inc=/usr/local/include/luajit-2.0/ --with-lua-inc=/usr/local/include/luajit-2.0/ --with-lua-lib=/usr/local/lib/ --with-openssl=/usr/local/lab/openssl-1.1.0i --add-module=/usr/local/ngx_http_geoip2_module-3.2
    
    # make && make install
    
    
    重新编译以后nginx可以包含上级目录的文件,当然,带来的后果是安全性的下降
  • 相关阅读:
    Oracle 查询语句截取字符串
    删除ORACLE数据库中重复的数据
    [易学C#]C#3.0语言新特性之匿名类型
    [讨论]程序之路在何方?
    [易学C#]C#3.0语言新特性之扩展方法
    [易学C#]C#3.0语言新特性之对象和集合初始化器
    用C#解决Oracle9i和Oracle10g字符集不兼容的问题
    一个C#操作Oracle的通用类
    [易学C#]C#3.0语言新特性之隐式类型
    重拾 DirectX 一:配置Visual Studio 2008+Microsoft DirectX SDK (June 2008) 开发环境
  • 原文地址:https://www.cnblogs.com/reblue520/p/10942456.html
Copyright © 2011-2022 走看看