Mercurial > hg > nginx-ranges

diff src/http/ngx_http_parse.c @ 122:d25a1d6034f1 NGINX_0_3_8
nginx 0.3.8 *) Security: nginx now checks URI got from a backend in "X-Accel-Redirect" header line or in SSI file for the "/../" paths and zeroes. *) Change: nginx now does not treat the empty user name in the "Authorization" header line as valid one. *) Feature: the "ssl_session_timeout" directives of the ngx_http_ssl_module and ngx_imap_ssl_module. *) Feature: the "auth_http_header" directive of the ngx_imap_auth_http_module. *) Feature: the "add_header" directive. *) Feature: the ngx_http_realip_module. *) Feature: the new variables to use in the "log_format" directive: $bytes_sent, $apache_bytes_sent, $status, $time_gmt, $uri, $request_time, $request_length, $upstream_status, $upstream_response_time, $gzip_ratio, $uid_got, $uid_set, $connection, $pipe, and $msec. The parameters in the "%name" form will be canceled soon. *) Change: now the false variable values in the "if" directive are the empty string "" and string starting with "0". *) Bugfix: while using proxied or FastCGI-server nginx may leave connections and temporary files with client requests in open state. *) Bugfix: the worker processes did not flush the buffered logs on graceful exit. *) Bugfix: if the request URI was changes by the "rewrite" directive and the request was proxied in location given by regular expression, then the incorrect request was transferred to backend; bug appeared in 0.2.6. *) Bugfix: the "expires" directive did not remove the previous "Expires" header. *) Bugfix: nginx may stop to accept requests if the "rtsig" method and several worker processes were used. *) Bugfix: the "\"" and "\'" escape symbols were incorrectly handled in SSI commands. *) Bugfix: if the response was ended just after the SSI command and gzipping was used, then the response did not transferred complete or did not transferred at all.
author: Igor Sysoev <http://sysoev.ru>
date: Wed, 09 Nov 2005 00:00:00 +0300
parents: 8ad297c88dcb
children: 12acc273e340
--- a/src/http/ngx_http_parse.c
+++ b/src/http/ngx_http_parse.c
@@ -763,6 +763,7 @@ ngx_http_parse_complex_uri(ngx_http_requ
                        "s:%d in:'%Xd:%c', out:'%c'", state, ch, ch, *u);
 
         switch (state) {
+
         case sw_usual:
             switch(ch) {
 #if (NGX_WIN32)
@@ -810,7 +811,6 @@ ngx_http_parse_complex_uri(ngx_http_requ
             switch(ch) {
 #if (NGX_WIN32)
             case '\\':
-                break;
 #endif
             case '/':
                 break;
@@ -837,7 +837,6 @@ ngx_http_parse_complex_uri(ngx_http_requ
             switch(ch) {
 #if (NGX_WIN32)
             case '\\':
-                /* fall through */
 #endif
             case '/':
                 state = sw_slash;
@@ -866,7 +865,6 @@ ngx_http_parse_complex_uri(ngx_http_requ
             switch(ch) {
 #if (NGX_WIN32)
             case '\\':
-                /* fall through */
 #endif
             case '/':
                 state = sw_slash;
@@ -923,6 +921,9 @@ ngx_http_parse_complex_uri(ngx_http_requ
                 quoted_state = state;
                 state = sw_quoted;
                 break;
+            case '?':
+                r->args_start = p;
+                goto done;
             default:
                 state = sw_usual;
                 *u++ = ch;
@@ -1003,6 +1004,92 @@ done:
 
 
 ngx_int_t
+ngx_http_parse_unsafe_uri(ngx_http_request_t *r, ngx_str_t *uri,
+    ngx_str_t *args, ngx_uint_t *flags)
+{
+    u_char  ch, *p;
+    size_t  len;
+
+    len = uri->len;
+    p = uri->data;
+
+    if (len == 0 || p[0] == '?') {
+        goto unsafe;
+    }
+
+    if (p[0] == '.' && len == 3 && p[1] == '.' && (p[2] == '/'
+#if (NGX_WIN32)
+                                                   || p[2] == '\\'
+#endif
+        ))
+    {
+        goto unsafe;
+    }
+
+    for ( /* void */ ; len; len--) {
+
+        ch = *p++;
+
+        if (ch == '?') {
+            args->len = len - 1;
+            args->data = p;
+            uri->len -= len;
+
+            return NGX_OK;
+        }
+
+        if (ch == '\0') {
+            *flags |= NGX_HTTP_ZERO_IN_URI;
+            continue;
+        }
+
+        if (ch != '/'
+#if (NGX_WIN32)
+            && ch != '\\'
+#endif
+            )
+        {
+            continue;
+        }
+
+        if (len > 2) {
+
+            /* detect "/../" */
+
+            if (p[2] == '/') {
+                goto unsafe;
+            }
+
+#if (NGX_WIN32)
+
+            if (p[2] == '\\') {
+                goto unsafe;
+            }
+
+            if (len > 3) {
+
+                /* detect "/.../" */
+
+                if (p[3] == '/' || p[3] == '\\') {
+                    goto unsafe;
+                }
+            }
+#endif
+        }
+    }
+
+    return NGX_OK;
+
+unsafe:
+
+    ngx_log_error(NGX_LOG_ERR, r->connection->log, 0,
+                  "unsafe URI \"%V\" was detected", uri);
+
+    return NGX_ERROR;
+}
+
+
+ngx_int_t
 ngx_http_parse_multi_header_lines(ngx_array_t *headers, ngx_str_t *name,
     ngx_str_t *value)
 {
@@ -1059,6 +1146,7 @@ ngx_http_parse_multi_header_lines(ngx_ar
             return i;
 
         skip:
+
             while (start < end) {
                 ch = *start++;
                 if (ch == ';' || ch == ',') {
author	Igor Sysoev <http://sysoev.ru>
date	Wed, 09 Nov 2005 00:00:00 +0300
parents	8ad297c88dcb
children	12acc273e340