How is this not seen as a vulnerability in nginx? This behavior is utterly absurd, seems to have no beneficial purpose, and straightforwardly exploitable.
It's done for speed. Straightforward text replacement is so much faster than checking to see if a path is properly terminated by a slash. And remember that Nginx became popular due to benchmarks that showed that it was more "web scale" than Apache2.
I find it hard to believe that searching for “..” would even show up in a benchmark.
In any case, it seems that nginx does try to search for .. but has a bug in the corner case where the “location” doesn’t end with a slash. I assume there’s some kind of URL normalization pass that happens before the routing pass, and if the route matches part of a path component, nothing catches the ..
If I’m right, this is just an IMO rather embarrassing bug and should he fixed.
Your comment makes nginx sound like some fly-by-night server that only achieved its performance by making lots of tiny-yet-dangerous "optimisations" like this one.
More likely it is an omission, which could be rectified with a warning or failure running nginx -t (verify configuration).
The actual performance comes from an architectural choice between event vs process based servers, as detailed in the C10k problem article. [1]
They could simply normalize the paths when parsing the configuration file. The overhead wouldn’t show up in benchmark because it only happens once at startup (and maybe when the conf file changes)
And a good carpenter understands that tools can be better or worse, and that a good carpenter who uses bad tools will be worse off than a good carpenter who uses good tools. It's not wrong of anyone (regardless of skill level) to demand better tools; power is not a blanket excuse for poor design. You can have powerful tools with non-dangerous defaults.
Yeah, after that phrase confusing me for years, I concluded that it really means a good craftsman won't even have bad (ie blame worthy) tools to begin with.
Falso dichotomy. Tools can be "powerful" without being easy to misconfigure. To use a carpenter example, circular saws have guard shields that snap into place if the saw is free in the air. Seems like a good thing, no? Are saws meaningfully less "powerful" because of this security feature?
Shall we make straight razors illegal too while we're at it?
Let's not reduce everything to the least common denominator lest we end up like (formerly) Oregon where you couldn't pump your own gas because it was "dangerous" for the lay person.
Illegal? No, we don't need to do that. But we can certainly point out that safety razors already exist, are much easier to use safely and correctly, and do at least as good of a job for 99.9...÷ of people.
This also means that if someone chooses to use a straight razor it is immediate cause for suspicion of their reasons (e.g. it might be an aesthetic preference rather than dispassionately choosing the best tool for the job) and if they advise other people to use that tool, we can call that out as bad advice.
So we don't need to make Nginx illegal, or make that default illegal, but we can certainly point out that it's a foolish default when it offers no extra power to anyone, but offers significant risk to many.
I don't think you'd find a single woodworker anywhere who, if they could afford it, wouldn't prefer a table saw with Sawstop. How much are your fingers worth to you?
A poor carpenter blames his tools because it is the carpenter who maintains them. Unless you’re contributing back to upstream nginx’s code, the analogy isn’t apt. A carpenter could and should simply choose the best tool for the job, and when they determine what that tool is, maintain it as well as can be.
