nginx 0.5.34 *) Change: now the full request line instead of URI only is written to error_log. *) Feature: Cygwin compatibility. Thanks to Vladimir Kutakov. *) Feature: the "merge_slashes" directive. *) Feature: the "gzip_vary" directive. *) Feature: the "server_tokens" directive. *) Feature: the "access_log" directive may be used inside the "limit_except" block. *) Bugfix: if the $server_protocol was used in FastCGI parameters and a request line length was near to the "client_header_buffer_size" directive value, then nginx issued an alert "fastcgi: the request record is too big". *) Bugfix: if a plain text HTTP/0.9 version request was made to HTTPS server, then nginx returned usual response. *) Bugfix: URL double escaping in a redirect of the "msie_refresh" directive; bug appeared in 0.5.28. *) Bugfix: a segmentation fault might occur in worker process if subrequests were used. *) Bugfix: the big responses may be transferred truncated if SSL and gzip were used. *) Bugfix: compatibility with mget. *) Bugfix: nginx did not unescape URI in the "include" SSI command. *) Bugfix: the segmentation fault was occurred on start or while reconfiguration if variable was used in the "charset" or "source_charset" directives. *) Bugfix: nginx returned the 400 response on requests like "GET http://www.domain.com HTTP/1.0". Thanks to James Oakley. *) Bugfix: a segmentation fault occurred in worker process if $date_local and $date_gmt were used outside the ngx_http_ssi_filter_module. *) Bugfix: a segmentation fault might occur in worker process if debug log was enabled. Thanks to Andrei Nigmatulin. *) Bugfix: ngx_http_memcached_module did not set $upstream_response_time. Thanks to Maxim Dounin. *) Bugfix: a worker process may got caught in an endless loop, if the memcached was used.

--- a/src/core/ngx_string.c
+++ b/src/core/ngx_string.c
@@ -1147,7 +1147,7 @@ ngx_escape_uri(u_char *dst, u_char *src,
         0xffffffff, /* 1111 1111 1111 1111  1111 1111 1111 1111 */
 
                     /* ?>=< ;:98 7654 3210  /.-, +*)( '&%$ #"!  */
-        0x000000a5, /* 0000 0000 0000 0000  0000 0000 1010 0101 */
+        0x00000085, /* 0000 0000 0000 0000  0000 0000 1000 0101 */
 
                     /* _^]\ [ZYX WVUT SRQP  ONML KJIH GFED CBA@ */
         0x00000000, /* 0000 0000 0000 0000  0000 0000 0000 0000 */
@@ -1243,7 +1243,9 @@ ngx_unescape_uri(u_char **dst, u_char **
 
         switch (state) {
         case sw_usual:
-            if (ch == '?' && type == NGX_UNESCAPE_URI) {
+            if (ch == '?'
+                && (type & (NGX_UNESCAPE_URI|NGX_UNESCAPE_REDIRECT)))
+            {
                 *d++ = ch;
                 goto done;
             }
@@ -1286,7 +1288,7 @@ ngx_unescape_uri(u_char **dst, u_char **
             if (ch >= '0' && ch <= '9') {
                 ch = (u_char) ((decoded << 4) + ch - '0');
 
-                if (type == NGX_UNESCAPE_URI) {
+                if (type & NGX_UNESCAPE_REDIRECT) {
                     if (ch > '%' && ch < 0x7f) {
                         *d++ = ch;
                         break;
@@ -1306,7 +1308,17 @@ ngx_unescape_uri(u_char **dst, u_char **
             if (c >= 'a' && c <= 'f') {
                 ch = (u_char) ((decoded << 4) + c - 'a' + 10);
 
-                if (type == NGX_UNESCAPE_URI) {
+                if (type & NGX_UNESCAPE_URI) {
+                    if (ch == '?') {
+                        *d++ = ch;
+                        goto done;
+                    }
+
+                    *d++ = ch;
+                    break;
+                }
+
+                if (type & NGX_UNESCAPE_REDIRECT) {
                     if (ch == '?') {
                         *d++ = ch;
                         goto done;