Mercurial > hg > nginx
comparison src/http/ngx_http_parse.c @ 4678:01dbbe7236ee stable-1.2
Merge of r4674, r4675, r4676: win32 fixes.
*) Win32: disallowed access to various non-canonical name variants.
This includes trailings dots and spaces, NTFS streams (and short names, as
previously checked). The checks are now also done in ngx_file_info(), thus
allowing to use the "try_files" directive to protect external scripts.
*) Win32: normalization of trailing dot inside uri.
Windows treats "/directory./" identical to "/directory/". Do the same
when working on Windows. Note that the behaviour is different from one
with last path component (where multiple spaces and dots are ignored by
Windows).
*) Win32: uris with ":$" are now rejected.
There are too many problems with special NTFS streams, notably "::$data",
"::$index_allocation" and ":$i30:$index_allocation".
For now we don't reject all URIs with ":" like Apache does as there are no
good reasons seen yet, and there are multiple programs using it in URLs
(e.g. MediaWiki).
| author | Maxim Dounin <mdounin@mdounin.ru> |
|---|---|
| date | Tue, 05 Jun 2012 13:52:37 +0000 |
| parents | 67653855682e |
| children | 32030fa8cb14 |
comparison
equal
deleted
inserted
replaced
| 4672:4a4516a725dc | 4678:01dbbe7236ee |
|---|---|
| 541 break; | 541 break; |
| 542 } | 542 } |
| 543 | 543 |
| 544 switch (ch) { | 544 switch (ch) { |
| 545 case '/': | 545 case '/': |
| 546 #if (NGX_WIN32) | |
| 547 if (r->uri_ext == p) { | |
| 548 r->complex_uri = 1; | |
| 549 state = sw_uri; | |
| 550 break; | |
| 551 } | |
| 552 #endif | |
| 546 r->uri_ext = NULL; | 553 r->uri_ext = NULL; |
| 547 state = sw_after_slash_in_uri; | 554 state = sw_after_slash_in_uri; |
| 548 break; | 555 break; |
| 549 case '.': | 556 case '.': |
| 550 r->uri_ext = p + 1; | 557 r->uri_ext = p + 1; |
| 1115 } | 1122 } |
| 1116 | 1123 |
| 1117 switch(ch) { | 1124 switch(ch) { |
| 1118 #if (NGX_WIN32) | 1125 #if (NGX_WIN32) |
| 1119 case '\\': | 1126 case '\\': |
| 1127 if (u - 2 >= r->uri.data | |
| 1128 && *(u - 1) == '.' && *(u - 2) != '.') | |
| 1129 { | |
| 1130 u--; | |
| 1131 } | |
| 1132 | |
| 1120 r->uri_ext = NULL; | 1133 r->uri_ext = NULL; |
| 1121 | 1134 |
| 1122 if (p == r->uri_start + r->uri.len) { | 1135 if (p == r->uri_start + r->uri.len) { |
| 1123 | 1136 |
| 1124 /* | 1137 /* |
| 1132 state = sw_slash; | 1145 state = sw_slash; |
| 1133 *u++ = '/'; | 1146 *u++ = '/'; |
| 1134 break; | 1147 break; |
| 1135 #endif | 1148 #endif |
| 1136 case '/': | 1149 case '/': |
| 1150 #if (NGX_WIN32) | |
| 1151 if (u - 2 >= r->uri.data | |
| 1152 && *(u - 1) == '.' && *(u - 2) != '.') | |
| 1153 { | |
| 1154 u--; | |
| 1155 } | |
| 1156 #endif | |
| 1137 r->uri_ext = NULL; | 1157 r->uri_ext = NULL; |
| 1138 state = sw_slash; | 1158 state = sw_slash; |
| 1139 *u++ = ch; | 1159 *u++ = ch; |
| 1140 break; | 1160 break; |
| 1141 case '%': | 1161 case '%': |