# HG changeset patch
# User Ruslan Ermilov <ru@nginx.com>
# Date 1387807916 -14400
# Node ID b141a7627ac66162d906b9a58d47311360e87b11
# Parent  6d357b2a9d6e553b7849d5a5a08b9873d36993c8
Detect more unsafe URIs in ngx_http_parse_unsafe_uri().

The following URIs were considered safe: "..", "../foo", and "/foo/..".

diff --git a/src/http/ngx_http_parse.c b/src/http/ngx_http_parse.c
--- a/src/http/ngx_http_parse.c
+++ b/src/http/ngx_http_parse.c
@@ -1790,7 +1790,9 @@ ngx_http_parse_unsafe_uri(ngx_http_reque
         goto unsafe;
     }
 
-    if (p[0] == '.' && len == 3 && p[1] == '.' && (ngx_path_separator(p[2]))) {
+    if (p[0] == '.' && len > 1 && p[1] == '.'
+        && (len == 2 || ngx_path_separator(p[2])))
+    {
         goto unsafe;
     }
 
@@ -1816,9 +1818,11 @@ ngx_http_parse_unsafe_uri(ngx_http_reque
 
         if (ngx_path_separator(ch) && len > 2) {
 
-            /* detect "/../" */
+            /* detect "/../" and "/.." */
 
-            if (p[0] == '.' && p[1] == '.' && ngx_path_separator(p[2])) {
+            if (p[0] == '.' && p[1] == '.'
+                && (len == 3 || ngx_path_separator(p[2])))
+            {
                 goto unsafe;
             }
         }