Mercurial > hg > nginx-vendor-current

diff src/http/ngx_http_request.c @ 676:bfa81a0490a2 NGINX_1_3_1

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
nginx 1.3.1 *) Security: now nginx/Windows ignores trailing dot in URI path component, and does not allow URIs with ":$" in it. Thanks to Vladimir Kochetkov, Positive Research Center. *) Feature: the "proxy_pass", "fastcgi_pass", "scgi_pass", "uwsgi_pass" directives, and the "server" directive inside the "upstream" block, now support IPv6 addresses. *) Feature: the "resolver" directive now support IPv6 addresses and an optional port specification. *) Feature: the "least_conn" directive inside the "upstream" block. *) Feature: it is now possible to specify a weight for servers while using the "ip_hash" directive. *) Bugfix: a segmentation fault might occur in a worker process if the "image_filter" directive was used; the bug had appeared in 1.3.0. *) Bugfix: nginx could not be built with ngx_cpp_test_module; the bug had appeared in 1.1.12. *) Bugfix: access to variables from SSI and embedded perl module might not work after reconfiguration. Thanks to Yichun Zhang. *) Bugfix: in the ngx_http_xslt_filter_module. Thanks to Kuramoto Eiji. *) Bugfix: memory leak if $geoip_org variable was used. Thanks to Denis F. Latypoff. *) Bugfix: in the "proxy_cookie_domain" and "proxy_cookie_path" directives.
author Igor Sysoev <http://sysoev.ru>
date Tue, 05 Jun 2012 00:00:00 +0400
parents 4dcaf40cc702
children 981b4c44593b
line wrap: on
line diff
--- a/src/http/ngx_http_request.c
+++ b/src/http/ngx_http_request.c
@@ -812,7 +812,28 @@ ngx_http_process_request_line(ngx_event_
 
 #if (NGX_WIN32)
             {
-            u_char  *p;
+            u_char  *p, *last;
+
+            p = r->uri.data;
+            last = r->uri.data + r->uri.len;
+
+            while (p < last) {
+
+                if (*p++ == ':') {
+
+                    /*
+                     * this check covers "::$data", "::$index_allocation" and
+                     * ":$i30:$index_allocation"
+                     */
+
+                    if (p < last && *p == '$') {
+                        ngx_log_error(NGX_LOG_INFO, c->log, 0,
+                                      "client sent unsafe win32 URI");
+                        ngx_http_finalize_request(r, NGX_HTTP_BAD_REQUEST);
+                        return;
+                    }
+                }
+            }
 
             p = r->uri.data + r->uri.len - 1;
 
@@ -828,11 +849,6 @@ ngx_http_process_request_line(ngx_event_
                     continue;
                 }
 
-                if (ngx_strncasecmp(p - 6, (u_char *) "::$data", 7) == 0) {
-                    p -= 7;
-                    continue;
-                }
-
                 break;
             }
 
@@ -1933,8 +1949,6 @@ ngx_http_finalize_request(ngx_http_reque
 
     if (rc == NGX_OK && r->filter_finalize) {
         c->error = 1;
-        ngx_http_finalize_connection(r);
-        return;
     }
 
     if (rc == NGX_DECLINED) {