Mercurial > hg > nginx
comparison src/http/modules/ngx_http_dav_module.c @ 3161:d430c6ab1c99
check unsafe Destination
author | Igor Sysoev <igor@sysoev.ru> |
---|---|
date | Fri, 25 Sep 2009 09:30:06 +0000 |
parents | 524ba56ba9f7 |
children | 6ddaac3e0bf7 |
comparison
equal
deleted
inserted
replaced
3160:a7637c2c1157 | 3161:d430c6ab1c99 |
---|---|
514 { | 514 { |
515 u_char *p, *host, *last, ch; | 515 u_char *p, *host, *last, ch; |
516 size_t len, root; | 516 size_t len, root; |
517 ngx_err_t err; | 517 ngx_err_t err; |
518 ngx_int_t rc, depth; | 518 ngx_int_t rc, depth; |
519 ngx_uint_t overwrite, slash, dir; | 519 ngx_uint_t overwrite, slash, dir, flags; |
520 ngx_str_t path, uri; | 520 ngx_str_t path, uri, duri, args; |
521 ngx_tree_ctx_t tree; | 521 ngx_tree_ctx_t tree; |
522 ngx_copy_file_t cf; | 522 ngx_copy_file_t cf; |
523 ngx_file_info_t fi; | 523 ngx_file_info_t fi; |
524 ngx_table_elt_t *dest, *over; | 524 ngx_table_elt_t *dest, *over; |
525 ngx_ext_rename_file_t ext; | 525 ngx_ext_rename_file_t ext; |
591 "client sent invalid \"Destination\" header: \"%V\"", | 591 "client sent invalid \"Destination\" header: \"%V\"", |
592 &dest->value); | 592 &dest->value); |
593 return NGX_HTTP_BAD_REQUEST; | 593 return NGX_HTTP_BAD_REQUEST; |
594 | 594 |
595 destination_done: | 595 destination_done: |
596 | |
597 duri.len = last - p; | |
598 duri.data = p; | |
599 flags = 0; | |
600 | |
601 if (ngx_http_parse_unsafe_uri(r, &duri, &args, &flags) != NGX_OK) { | |
602 goto invalid_destination; | |
603 } | |
596 | 604 |
597 if ((r->uri.data[r->uri.len - 1] == '/' && *(last - 1) != '/') | 605 if ((r->uri.data[r->uri.len - 1] == '/' && *(last - 1) != '/') |
598 || (r->uri.data[r->uri.len - 1] != '/' && *(last - 1) == '/')) | 606 || (r->uri.data[r->uri.len - 1] != '/' && *(last - 1) == '/')) |
599 { | 607 { |
600 ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, | 608 ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, |
654 | 662 |
655 ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, | 663 ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, |
656 "http copy from: \"%s\"", path.data); | 664 "http copy from: \"%s\"", path.data); |
657 | 665 |
658 uri = r->uri; | 666 uri = r->uri; |
659 | 667 r->uri = duri; |
660 r->uri.len = last - p; | |
661 r->uri.data = p; | |
662 | 668 |
663 ngx_http_map_uri_to_path(r, ©.path, &root, 0); | 669 ngx_http_map_uri_to_path(r, ©.path, &root, 0); |
664 | 670 |
665 r->uri = uri; | 671 r->uri = uri; |
666 | 672 |