nginx-quic: src/http/ngx_http

comparison src/http/ngx_http_parse.c @ 8530:b4073527be81

Disabled control characters in URIs. Control characters (0x00-0x1f, 0x7f) were never allowed in URIs, and must be percent-encoded by clients. Further, these are not believed to appear in practice. On the other hand, passing such characters might make various attacks possible or easier, despite the fact that currently allowed control characters are not significant for HTTP request parsing.

author	Maxim Dounin <mdounin@mdounin.ru>
date	Mon, 28 Jun 2021 18:01:15 +0300
parents	52338ddf9e2f
children	41f4bd4c51f1

comparison

equal deleted inserted replaced

-:52338ddf9e2f
+:b4073527be81
 #include <ngx_core.h>
 #include <ngx_http.h>
 static uint32_t  usual[] = {
-0xffffdbfe, /* 1111 1111 1111 1111  1101 1011 1111 1110 */
+0x00000000, /* 0000 0000 0000 0000  0000 0000 0000 0000 */
 /* ?>=< ;:98 7654 3210  /.-, +*)( '&%$ #"!  */
 0x7fff37d6, /* 0111 1111 1111 1111  0011 0111 1101 0110 */
 /* _^]\ [ZYX WVUT SRQP  ONML KJIH GFED CBA@ */
 #else
 0xffffffff, /* 1111 1111 1111 1111  1111 1111 1111 1111 */
 #endif
 /*  ~}| {zyx wvut srqp  onml kjih gfed cba` */
-0xffffffff, /* 1111 1111 1111 1111  1111 1111 1111 1111 */
+0x7fffffff, /* 0111 1111 1111 1111  1111 1111 1111 1111 */
 0xffffffff, /* 1111 1111 1111 1111  1111 1111 1111 1111 */
 0xffffffff, /* 1111 1111 1111 1111  1111 1111 1111 1111 */
 0xffffffff, /* 1111 1111 1111 1111  1111 1111 1111 1111 */
 0xffffffff  /* 1111 1111 1111 1111  1111 1111 1111 1111 */
 state = sw_uri;
 break;
 case '+':
 r->plus_in_uri = 1;
 break;
-case '\0':
+default:
-return NGX_HTTP_PARSE_INVALID_REQUEST;
+if (ch < 0x20 || ch == 0x7f) {
-default:
+return NGX_HTTP_PARSE_INVALID_REQUEST;
+}
 state = sw_check_uri;
 break;
 }
 break;
 state = sw_uri;
 break;
 case '+':
 r->plus_in_uri = 1;
 break;
-case '\0':
+default:
-return NGX_HTTP_PARSE_INVALID_REQUEST;
+if (ch < 0x20 || ch == 0x7f) {
+return NGX_HTTP_PARSE_INVALID_REQUEST;
+}
+break;
 }
 break;
 /* URI */
 case sw_uri:
 r->http_minor = 9;
 goto done;
 case '#':
 r->complex_uri = 1;
 break;
-case '\0':
+default:
-return NGX_HTTP_PARSE_INVALID_REQUEST;
+if (ch < 0x20 || ch == 0x7f) {
+return NGX_HTTP_PARSE_INVALID_REQUEST;
+}
+break;
 }
 break;
 /* space+ after URI */
 case sw_http_09:
 state = sw_check_uri;
 break;
 }
 switch (ch) {
-case ' ':
-return NGX_ERROR;
 case '.':
 r->complex_uri = 1;
 state = sw_uri;
 break;
 case '%':
 break;
 case '+':
 r->plus_in_uri = 1;
 break;
 default:
+if (ch <= 0x20 || ch == 0x7f) {
+return NGX_ERROR;
+}
 state = sw_check_uri;
 break;
 }
 break;
 state = sw_after_slash_in_uri;
 break;
 case '.':
 r->uri_ext = p + 1;
 break;
-case ' ':
-return NGX_ERROR;
 #if (NGX_WIN32)
 case '\\':
 r->complex_uri = 1;
 state = sw_after_slash_in_uri;
 break;
 state = sw_uri;
 break;
 case '+':
 r->plus_in_uri = 1;
 break;
+default:
+if (ch <= 0x20 || ch == 0x7f) {
+return NGX_ERROR;
+}
+break;
 }
 break;
 /* URI */
 case sw_uri:
 if (usual[ch >> 5] & (1U << (ch & 0x1f))) {
 break;
 }
 switch (ch) {
-case ' ':
-return NGX_ERROR;
 case '#':
 r->complex_uri = 1;
+break;
+default:
+if (ch <= 0x20 || ch == 0x7f) {
+return NGX_ERROR;
+}
 break;
 }
 break;
 }
 }

Mercurial > hg > nginx-quic

comparison src/http/ngx_http_parse.c @ 8530:b4073527be81