Block $bad_uri_words prototype

[duzun]

I have created a new rule to block some injection attempts by testing the incoming $request_uri.

I don't know how to correctly add these changes to the repo :(

Maybe it is worth adding a similar rule based on $uri, which is a normalized version of $request_uri.

[auto-comment]

Thank your for raising your pull request.
Please make sure you have followed our contributing guidelines. We will review it as soon as possible

[mitchellkrogza]

Thanks for your PR @duzun introducing a new include and mapping can and will break many installations out there who update and have a missing include file. Multiple include files were added from the beginning to allow such customization. Your best approach this to your /bots.d/bad-referrer-words.conf include file as follows.

"~*(?:\b)phpunit(?:\b)"    1;
"~*(?:\b)eval-stdin(?:\b)" 1;

This will work instead of having a complex regex.

[duzun]

I get your point.

But with the current configuration, there is no way to catch the spam words in the $request_uri, and the $http_referer is not enough.

Maybe it makes sense to add the new rule using the existing files, like bots.d/bad-referrer-words.conf?
Users who do not update their bots.d/blockbots.conf would not use the new rule, but it would not brack either.

[mitchellkrogza]

ah ok I get you, I'll have to think about how we could do this without breaking anything. Using the existing include files could work.

[mitchellkrogza]

Let's move these rules to bad-referrer-words.conf

[mitchellkrogza]

This looks fine

[mitchellkrogza]

Make this reference the rules in bad-referrer-words.conf, it also cannot be added here it needs to be added in the two master template files

• https://github.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker/blob/master/.dev-tools/globalblacklist.template
• https://github.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker/blob/master/.dev-tools/globalblacklist.template