kopia lustrzana https://github.com/alecmuffett/eotk
commit: basic parameter blocking
rodzic
52a49ee9ed
commit
48e71ed27a
|
@ -27,10 +27,13 @@ set paths_contain_onions 1
|
|||
set suppress_methods_except_get 1
|
||||
|
||||
# proof-of-concept: block logins by blocking access to login.*
|
||||
set block_host_re ^login\\.
|
||||
#set block_host_re ^login\\.
|
||||
|
||||
# proof-of-concept: block logins by blocking access to login.*
|
||||
set block_location_re ^/login/
|
||||
#set block_location_re ^/login/
|
||||
|
||||
# proof-of-concept: block logins by "parameter,value"
|
||||
set block_param_re title,^Special:UserLogin$
|
||||
|
||||
# blocking access to query parameter lists is more complex, but given
|
||||
# this is a read-only proof of concept with POST blocked, ignore that
|
||||
|
|
|
@ -430,6 +430,11 @@ sub DoProject {
|
|||
&SetEnv("host_whitelist_re", "");
|
||||
&SetEnv("host_blacklist_re", "");
|
||||
|
||||
&SetEnv("block_param", "");
|
||||
&SetEnv("block_param_re", "");
|
||||
&SetEnv("param_whitelist_re", "");
|
||||
&SetEnv("param_blacklist_re", "");
|
||||
|
||||
&SetEnv("no_cache_content_type", "");
|
||||
&SetEnv("no_cache_host", "");
|
||||
|
||||
|
|
|
@ -139,6 +139,9 @@ block block_path_re if ( $uri ~* "%0%" )
|
|||
# legacy
|
||||
block block_location location %0%
|
||||
block block_location_re location ~* "%0%"
|
||||
# query parameters
|
||||
block block_param if ( $arg_%1% = "%2%" )
|
||||
block block_param_re if ( $arg_%1% ~* "%2%" )
|
||||
|
||||
# redirects
|
||||
redirect redirect_host_csv if ( $host ~* "%1%" )
|
||||
|
@ -152,3 +155,4 @@ bwlist user_agent if ( $http_user_agent ~* "%0%" )
|
|||
bwlist referer if ( $http_referer ~* "%0%" )
|
||||
bwlist host if ( $http_host ~* "%0%" )
|
||||
bwlist path if ( $uri ~* "%0%" )
|
||||
bwlist param if ( $arg_%1% ~* "%2%" )
|
||||
|
|
|
@ -65,6 +65,24 @@
|
|||
# no polite block for block_location_re (generated)
|
||||
%%ENDIF
|
||||
|
||||
%%IF %BLOCK_PARAM%
|
||||
# polite block for block_param (generated)
|
||||
%%CSV %BLOCK_PARAM%
|
||||
if ( $arg_%1% = "%2%" ) { return 403 "%BLOCK_ERR%"; }
|
||||
%%ENDCSV
|
||||
%%ELSE
|
||||
# no polite block for block_param (generated)
|
||||
%%ENDIF
|
||||
|
||||
%%IF %BLOCK_PARAM_RE%
|
||||
# polite block for block_param_re (generated)
|
||||
%%CSV %BLOCK_PARAM_RE%
|
||||
if ( $arg_%1% ~* "%2%" ) { return 403 "%BLOCK_ERR%"; }
|
||||
%%ENDCSV
|
||||
%%ELSE
|
||||
# no polite block for block_param_re (generated)
|
||||
%%ENDIF
|
||||
|
||||
|
||||
# blacklists (generated)
|
||||
|
||||
|
@ -104,6 +122,15 @@
|
|||
# no path_blacklist_re (generated)
|
||||
%%ENDIF
|
||||
|
||||
%%IF %PARAM_BLACKLIST_RE%
|
||||
# check param_blacklist_re (generated)
|
||||
%%CSV %PARAM_BLACKLIST_RE%
|
||||
if ( $arg_%1% ~* "%2%" ) { %NGINX_ACTION_ABORT%; }
|
||||
%%ENDCSV
|
||||
%%ELSE
|
||||
# no param_blacklist_re (generated)
|
||||
%%ENDIF
|
||||
|
||||
|
||||
# redirects (generated)
|
||||
|
||||
|
@ -177,5 +204,15 @@
|
|||
# no path_whitelist_re (generated)
|
||||
%%ENDIF
|
||||
|
||||
%%IF %PARAM_WHITELIST_RE%
|
||||
# check param_whitelist_re (generated)
|
||||
set $non_whitelist_param 1;
|
||||
%%CSV %PARAM_WHITELIST_RE%
|
||||
if ( $arg_%1% ~* "%2%" ) { set $non_whitelist_param 0; }
|
||||
%%ENDCSV
|
||||
%%ELSE
|
||||
# no param_whitelist_re (generated)
|
||||
%%ENDIF
|
||||
|
||||
|
||||
# ---- END GENERATED CODE ----
|
||||
|
|
|
@ -30,5 +30,12 @@
|
|||
# no check for success of path_whitelist_re (generated)
|
||||
%%ENDIF
|
||||
|
||||
%%IF %PARAM_WHITELIST_RE%
|
||||
# check success of param_whitelist_re (generated)
|
||||
if ( $non_whitelist_param ) { %NGINX_ACTION_ABORT%; }
|
||||
%%ELSE
|
||||
# no check for success of param_whitelist_re (generated)
|
||||
%%ENDIF
|
||||
|
||||
|
||||
# ---- END GENERATED CODE ----
|
||||
|
|
Ładowanie…
Reference in New Issue