Could the nginx $host variable contain slashes?

Question

I have the following nginx configuration:

server
{
    listen 80 default;
    listen [::]:80 default_server ipv6only=on;
    server_name _;

    root /home/user/websites/$host;
    index index.html;
}

This simplifies the configuration (for my needs), and if I want to serve a new domain or subdomain, I just create the folder /home/user/websites/sub.domain.tld/.

My question is, with this kind of setup, is there any possible way that a malicious user could send an erroneous Host header, and traverse the directory structure?

I have tried the following:

$ curl --header "Host: ../testing" ip.address

For which nginx returns 400 Bad Request as expected. Are there any other ways this might be circumvented, or does nginx protect against this kind of attack?

Answer 1

It looks like nginx is already enforcing at least some of the restrictions on valid host names, but if you wanted to be sure, you could always use the nginx rewrite module to filter the host names yourself, as in:

if ($host !~ "^[a-z0-9\-]+([.][a-z0-9\-]+)+$") {
    return 400;
}

This should (assuming I got it right; I haven't actually used nginx myself) return a 400 error unless the hostname consists of two or more segments separated by periods, with each segment consisting of one or more ASCII lowercase letters, digits or hyphens. In particular, it should reject any "hostnames" containing slashes or other unexpected punctuation (like backslashes), as well as any hostnames starting with a period.

(Note that this regexp will accept IPv4 addresses, but will reject IPv6 addresses. You may wish to handle those cases separately, if only to provide a better error message. Or maybe not — nobody's using HTTP/0.9 any more.)