Mercurial > hg > nginx-vendor-1-0
diff src/http/ngx_http_special_response.c @ 320:95183808f549 NGINX_0_6_4
nginx 0.6.4
*) Security: the "msie_refresh" directive allowed XSS.
Thanks to Maxim Boguk.
*) Change: the "proxy_store" and "fastcgi_store" directives were
changed.
*) Feature: the "proxy_store_access" and "fastcgi_store_access"
directives.
*) Bugfix: nginx did not work on Solaris/sparc64 if it was built by Sun
Studio.
Thanks to Andrei Nigmatulin.
*) Workaround: for Sun Studio 12.
Thanks to Jiang Hong.
author | Igor Sysoev <http://sysoev.ru> |
---|---|
date | Tue, 17 Jul 2007 00:00:00 +0400 |
parents | c5c2b2883984 |
children | f7cd062ee035 |
line wrap: on
line diff
--- a/src/http/ngx_http_special_response.c +++ b/src/http/ngx_http_special_response.c @@ -315,6 +315,7 @@ ngx_http_special_response_handler(ngx_ht { u_char *p; size_t msie_refresh; + uintptr_t escape; ngx_int_t rc; ngx_buf_t *b; ngx_str_t *uri, *location; @@ -496,17 +497,19 @@ ngx_http_special_response_handler(ngx_ht r->headers_out.content_length = NULL; } - msie_refresh = 0; - location = NULL; - if (clcf->msie_refresh && r->headers_in.msie && (error == NGX_HTTP_MOVED_PERMANENTLY || error == NGX_HTTP_MOVED_TEMPORARILY)) { + location = &r->headers_out.location->value; + + escape = 2 * ngx_escape_uri(NULL, location->data, location->len, + NGX_ESCAPE_REFRESH); + msie_refresh = sizeof(ngx_http_msie_refresh_head) - 1 - + location->len + + escape + location->len + sizeof(ngx_http_msie_refresh_tail) - 1; r->err_status = NGX_HTTP_OK; @@ -514,6 +517,11 @@ ngx_http_special_response_handler(ngx_ht r->headers_out.content_length_n = msie_refresh; r->headers_out.location->hash = 0; r->headers_out.location = NULL; + + } else { + location = NULL; + escape = 0; + msie_refresh = 0; } ngx_http_clear_accept_ranges(r); @@ -595,7 +603,13 @@ ngx_http_special_response_handler(ngx_ht p = ngx_cpymem(b->pos, ngx_http_msie_refresh_head, sizeof(ngx_http_msie_refresh_head) - 1); - p = ngx_cpymem(p, location->data, location->len); + if (escape == 0) { + p = ngx_cpymem(p, location->data, location->len); + + } else { + p = (u_char *) ngx_escape_uri(p, location->data, location->len, + NGX_ESCAPE_REFRESH); + } b->last = ngx_cpymem(p, ngx_http_msie_refresh_tail, sizeof(ngx_http_msie_refresh_tail) - 1);