Mercurial > hg > nginx
comparison src/http/ngx_http_request.c @ 4675:79c147bdeb6a
Win32: uris with ":$" are now rejected.
There are too many problems with special NTFS streams, notably "::$data",
"::$index_allocation" and ":$i30:$index_allocation".
For now we don't reject all URIs with ":" like Apache does as there are no
good reasons seen yet, and there are multiple programs using it in URLs
(e.g. MediaWiki).
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Tue, 05 Jun 2012 13:38:27 +0000 |
parents | 07f028df3879 |
children | 09187f9b0950 |
comparison
equal
deleted
inserted
replaced
4674:5d86ab8f2340 | 4675:79c147bdeb6a |
---|---|
810 r->args.data = r->args_start; | 810 r->args.data = r->args_start; |
811 } | 811 } |
812 | 812 |
813 #if (NGX_WIN32) | 813 #if (NGX_WIN32) |
814 { | 814 { |
815 u_char *p; | 815 u_char *p, *last; |
816 | |
817 p = r->uri.data; | |
818 last = r->uri.data + r->uri.len; | |
819 | |
820 while (p < last) { | |
821 | |
822 if (*p++ == ':') { | |
823 | |
824 /* | |
825 * this check covers "::$data", "::$index_allocation" and | |
826 * ":$i30:$index_allocation" | |
827 */ | |
828 | |
829 if (p < last && *p == '$') { | |
830 ngx_log_error(NGX_LOG_INFO, c->log, 0, | |
831 "client sent unsafe win32 URI"); | |
832 ngx_http_finalize_request(r, NGX_HTTP_BAD_REQUEST); | |
833 return; | |
834 } | |
835 } | |
836 } | |
816 | 837 |
817 p = r->uri.data + r->uri.len - 1; | 838 p = r->uri.data + r->uri.len - 1; |
818 | 839 |
819 while (p > r->uri.data) { | 840 while (p > r->uri.data) { |
820 | 841 |
823 continue; | 844 continue; |
824 } | 845 } |
825 | 846 |
826 if (*p == '.') { | 847 if (*p == '.') { |
827 p--; | 848 p--; |
828 continue; | |
829 } | |
830 | |
831 if (ngx_strncasecmp(p - 6, (u_char *) "::$data", 7) == 0) { | |
832 p -= 7; | |
833 continue; | 849 continue; |
834 } | 850 } |
835 | 851 |
836 break; | 852 break; |
837 } | 853 } |