# HG changeset patch # User Igor Sysoev # Date 1256579155 0 # Node ID ef8cfb09a50b3518a0e9c89386fdfcb8e672403f # Parent ff7e1ec2c9a4e35472457f8775d52045e4540b26 merge r3162, r3183: WebDAV fixes: *) check unsafe Destination *) omit '\0' from "Location" header on MKCOL request diff --git a/src/http/modules/ngx_http_dav_module.c b/src/http/modules/ngx_http_dav_module.c --- a/src/http/modules/ngx_http_dav_module.c +++ b/src/http/modules/ngx_http_dav_module.c @@ -490,6 +490,7 @@ ngx_http_dav_mkcol_handler(ngx_http_requ p = ngx_http_map_uri_to_path(r, &path, &root, 0); *(p - 1) = '\0'; + r->uri.len--; ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "http mkcol path: \"%s\"", path.data); @@ -516,8 +517,8 @@ ngx_http_dav_copy_move_handler(ngx_http_ size_t len, root; ngx_err_t err; ngx_int_t rc, depth; - ngx_uint_t overwrite, slash, dir; - ngx_str_t path, uri; + ngx_uint_t overwrite, slash, dir, flags; + ngx_str_t path, uri, duri, args; ngx_tree_ctx_t tree; ngx_copy_file_t cf; ngx_file_info_t fi; @@ -594,6 +595,14 @@ invalid_destination: destination_done: + duri.len = last - p; + duri.data = p; + flags = 0; + + if (ngx_http_parse_unsafe_uri(r, &duri, &args, &flags) != NGX_OK) { + goto invalid_destination; + } + if ((r->uri.data[r->uri.len - 1] == '/' && *(last - 1) != '/') || (r->uri.data[r->uri.len - 1] != '/' && *(last - 1) == '/')) { @@ -656,9 +665,7 @@ overwrite_done: "http copy from: \"%s\"", path.data); uri = r->uri; - - r->uri.len = last - p; - r->uri.data = p; + r->uri = duri; ngx_http_map_uri_to_path(r, ©.path, &root, 0); diff --git a/src/http/modules/ngx_http_ssi_filter_module.c b/src/http/modules/ngx_http_ssi_filter_module.c --- a/src/http/modules/ngx_http_ssi_filter_module.c +++ b/src/http/modules/ngx_http_ssi_filter_module.c @@ -1908,7 +1908,7 @@ ngx_http_ssi_include(ngx_http_request_t args.len = 0; args.data = NULL; - flags = 0; + flags = NGX_HTTP_LOG_UNSAFE; if (ngx_http_parse_unsafe_uri(r, uri, &args, &flags) != NGX_OK) { return NGX_HTTP_SSI_ERROR; diff --git a/src/http/ngx_http_parse.c b/src/http/ngx_http_parse.c --- a/src/http/ngx_http_parse.c +++ b/src/http/ngx_http_parse.c @@ -1322,8 +1322,10 @@ ngx_http_parse_unsafe_uri(ngx_http_reque unsafe: - ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, - "unsafe URI \"%V\" was detected", uri); + if (*flags & NGX_HTTP_LOG_UNSAFE) { + ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, + "unsafe URI \"%V\" was detected", uri); + } return NGX_ERROR; } diff --git a/src/http/ngx_http_request.h b/src/http/ngx_http_request.h --- a/src/http/ngx_http_request.h +++ b/src/http/ngx_http_request.h @@ -60,6 +60,7 @@ #define NGX_HTTP_ZERO_IN_URI 1 #define NGX_HTTP_SUBREQUEST_IN_MEMORY 2 #define NGX_HTTP_SUBREQUEST_WAITED 4 +#define NGX_HTTP_LOG_UNSAFE 8 #define NGX_HTTP_OK 200 diff --git a/src/http/ngx_http_upstream.c b/src/http/ngx_http_upstream.c --- a/src/http/ngx_http_upstream.c +++ b/src/http/ngx_http_upstream.c @@ -1762,7 +1762,7 @@ ngx_http_upstream_process_headers(ngx_ht uri = &u->headers_in.x_accel_redirect->value; args.len = 0; args.data = NULL; - flags = 0; + flags = NGX_HTTP_LOG_UNSAFE; if (ngx_http_parse_unsafe_uri(r, uri, &args, &flags) != NGX_OK) { ngx_http_finalize_request(r, NGX_HTTP_NOT_FOUND);