Question/feature: adding a configuration flag to set whether NGiNX should decode percent-encoded characters in URI or not

> [!NOTE]
> 
> I'm **not** a **security expert** and I don't know if that feature might generate vulnerabilities or anything similar (e.g. path traversal attacks). If that's the case, you can directly close or delete the issue, but I'd love to be redirected to some relevant documentation on the topic and/or to receive some guidance on how to approach this task in the correct way 🙂

### Describe the feature you'd like to add to nginx

I'd like to introduce a configuration flag named `decode_percent_characters` (or something similar):

- by default set to `on`, so that it doesn't change NGiNX default behaviour;
- similarly to `merge_slashes`, it's passed to [`ngx_http_parse_complex_uri()`](https://github.com/nginx/nginx/blob/ecb809305e54ed15be9f620d56b19ff4e4be7db5/src/http/ngx_http_parse.c#L1245);
- if set to `off`, NGiNX doesn't replace percent-encoded characters in request URIs, with their respective decoded values (i.e. `%2f` doesn't get decoded to `/` if we set `decode_percent_characters off;` in `nginx.conf`);

#### Example

<details>
<summary>Show/Hide example</summary>

Suppose we have a file `/usr/local/nginx/html/path%2fslash/index.html`:

```html
<!DOCTYPE html>
<html>
  <head>
    <title>Percent-encoded test</title>
  </head>
  <body>
    <h1>Percent-encoded test</h1>
  </body>
</html>
```

File `/usr/local/nginx/conf/nginx.conf`:

```conf
worker_processes  1;

events {
  worker_connections  1024;
}

http {
  decode_percent_characters off;
  
  server {
    listen       80;
    server_name  localhost;
  }
}
```

Test request:

```bash
curl "localhost:80/path%2fslash/"
```

Result:

```bash
<!DOCTYPE html>
<html>
  <head>
    <title>Welcome to nginx!</title>
  </head>
  <body>
    <h1>Welcome to nginx!</h1>
  </body>
</html>
```

Without this change we would get a `404: Not Found` error, and the following log entry in `/usr/local/nginx/logs/error.log`:

```lang-none
2025/02/07 12:15:26 [error] 103512#0: *9 "/usr/local/nginx/html/path/slash/index.html" is not found (2: No such file or directory), client: 127.0.0.1, server: localhost, request: "GET /path%2fslash/ HTTP/1.1", host: "localhost"
```

</details>

### Describe the problem this feature solves

With this feature, we would be able to serve pages containing percent-encoded characters in their path (e.g. `/usr/local/nginx/html/path%2fslash/index.html`).

Additionally, when NGiNX is used as a reverse proxy, such as when it's distributed via OpenResty and used as an API Gateway (e.g. APISIX, Kong, etc.), we can match routes that have **path parameters** containing **percent-encoded characters**, and delegate their decoding to upstreams/other web servers.
Notice that many popular web frameworks already support percent-encoded characters in path parameters:

| Technology         | Supports %-encoded chars   | Usage                  | Docs |
| ------------------ | -------------------------- | ---------------------- | ---- |
| Django (Python)    | 🟢                         | Using `<path:id>`      | [Django - Path Converters](https://docs.djangoproject.com/en/5.1/topics/http/urls/#path-converters) |
| Fastapi (Python)   | 🟢                         | Using `{id:path}`      | [Fastapi - Path Convertor](https://fastapi.tiangolo.com/tutorial/path-params/?h=path+para#path-convertor) |
| Flask (Python)     | 🟢                         | Using `<path:id>`      | [Flask - Variable Rules](https://flask.palletsprojects.com/en/stable/quickstart/#variable-rules) |
| Express (JS)       | 🟢                         | Using `:id` (default)  | - |
| Fastify (JS)       | 🟢                         | Using `:id` (default)  | - |
| Actix Web (Rust)   | 🟢                         | Using `{id}` (default) | - |
| ASP.NET Core (C#)  | 🟢                         | Using `{id}` (default) | - |
| Spring Boot (Java) | 🟢                         | By default requests containing `%2F` in path parameters return `400: Bad Request`, but Tomcat can be configured to allow them | - |
| NGiNX (C)          | 🔴                         | -                      | - |

### Additional context

#### Some References

- pass_proxy subdirectory without url decoding, from a [StackOverflow answer](https://stackoverflow.com/a/37584637/19544859)
- nginx proxy_pass and URL decoding, , from a [StackOverflow answer](https://stackoverflow.com/a/37584656/19544859)
- super old NGiNX closed ticket: [Nginx pass_proxy subdirectory without url decoding](https://trac.nginx.org/nginx/ticket/727)
- workaround: encode `%` in request URIs, from a [StackOverflow answer](https://stackoverflow.com/a/50969016/19544859);

#### Feature Implementation

I already implemented two versions of this feature in a fork:

- flag `decode_percent_characters`, to handle decoding of all percent-encoded characters:  [mikyll/nginx:http_parse_complex_uri_decode_percent](https://github.com/nginx/nginx/compare/master...mikyll:nginx:http_parse_complex_uri_decode_percent). It's pretty straightforward, if `decode_percent_characters` is true, then the `ngx_http_parse_complex_uri()` function doesn't decode `%` characters (when encountering them it simply do not enter `sw_quoted` status);
- flag `decode_slashes`, to handle decoding of only `%2f` (slash `/`) character: [mikyll/nginx:http_parse_complex_uri_decode_slashes](https://github.com/nginx/nginx/compare/master...mikyll:nginx:http_parse_complex_uri_decode_slashes)

#### APISIX Example

With this feature, we could make APISIX correctly match routes containing %-encoded characters in path parameters (when using router `radixtree_uri_with_parameters`, see [APISIX Docs | Router](https://apisix.apache.org/docs/apisix/terminology/router/)), by simply setting the following configuration in `/apisix/path/conf/config.yaml`:

```yaml
nginx_config:
  http_configuration_snippet: |
    decode_percent_characters off;
```

#### OpenResty

Maybe there's a simpler way to handle this via OpenResty [`ngx_http_lua_module`](https://github.com/openresty/lua-nginx-module)?

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Question/feature: adding a configuration flag to set whether NGiNX should decode percent-encoded characters in URI or not #501

Describe the feature you'd like to add to nginx

Example

Describe the problem this feature solves

Additional context

Some References

Feature Implementation

APISIX Example

OpenResty

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Technology	Supports %-encoded chars	Usage	Docs
Django (Python)	🟢	Using `<path:id>`	Django - Path Converters
Fastapi (Python)	🟢	Using `{id:path}`	Fastapi - Path Convertor
Flask (Python)	🟢	Using `<path:id>`	Flask - Variable Rules
Express (JS)	🟢	Using `:id` (default)	-
Fastify (JS)	🟢	Using `:id` (default)	-
Actix Web (Rust)	🟢	Using `{id}` (default)	-
ASP.NET Core (C#)	🟢	Using `{id}` (default)	-
Spring Boot (Java)	🟢	By default requests containing `%2F` in path parameters return `400: Bad Request`, but Tomcat can be configured to allow them	-
NGiNX (C)	🔴	-	-

Question/feature: adding a configuration flag to set whether NGiNX should decode percent-encoded characters in URI or not #501

Description

Describe the feature you'd like to add to nginx

Example

Describe the problem this feature solves

Additional context

Some References

Feature Implementation

APISIX Example

OpenResty

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions