# HG changeset patch # User Igor Sysoev # Date 1317391568 0 # Node ID fb1375e8b68cadff849b65241f98782000951acb # Parent 010a0907bc953c5eec1e1b827446ae1ea02eba55 Merging r4036, r4055, r4056, r4057, r4058, r4059, r4060, r4061, r4062, r4063, r4064: Ranges related fixes: The "max_ranges" directive. "max_ranges 0" disables ranges support at all, "max_ranges 1" allows the single range, etc. By default number of ranges is unlimited, to be precise, 2^31-1. If client requests more ranges than "max_ranges" permits, nginx disables ranges and returns just the source response. If total size of all ranges is greater than source response size, then nginx disables ranges and returns just the source response. This fix should not affect well-behaving applications but will defeat DoS attempts exploiting malicious byte ranges. Now unsatisfiable ranges are processed according to RFC 2616. diff --git a/src/http/modules/ngx_http_range_filter_module.c b/src/http/modules/ngx_http_range_filter_module.c --- a/src/http/modules/ngx_http_range_filter_module.c +++ b/src/http/modules/ngx_http_range_filter_module.c @@ -58,8 +58,8 @@ typedef struct { } ngx_http_range_filter_ctx_t; -ngx_int_t ngx_http_range_parse(ngx_http_request_t *r, - ngx_http_range_filter_ctx_t *ctx); +static ngx_int_t ngx_http_range_parse(ngx_http_request_t *r, + ngx_http_range_filter_ctx_t *ctx, ngx_uint_t ranges); static ngx_int_t ngx_http_range_singlepart_header(ngx_http_request_t *r, ngx_http_range_filter_ctx_t *ctx); static ngx_int_t ngx_http_range_multipart_header(ngx_http_request_t *r, @@ -146,7 +146,7 @@ static ngx_int_t ngx_http_range_header_filter(ngx_http_request_t *r) { time_t if_range; - ngx_int_t rc; + ngx_http_core_loc_conf_t *clcf; ngx_http_range_filter_ctx_t *ctx; if (r->http_version < NGX_HTTP_VERSION_10 @@ -158,6 +158,12 @@ ngx_http_range_header_filter(ngx_http_re return ngx_http_next_header_filter(r); } + clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module); + + if (clcf->max_ranges == 0) { + return ngx_http_next_header_filter(r); + } + if (r->headers_in.range == NULL || r->headers_in.range->value.len < 7 || ngx_strncasecmp(r->headers_in.range->value.data, @@ -192,10 +198,9 @@ ngx_http_range_header_filter(ngx_http_re return NGX_ERROR; } - rc = ngx_http_range_parse(r, ctx); + switch (ngx_http_range_parse(r, ctx, clcf->max_ranges)) { - if (rc == NGX_OK) { - + case NGX_OK: ngx_http_set_ctx(r, ctx, ngx_http_range_body_filter_module); r->headers_out.status = NGX_HTTP_PARTIAL_CONTENT; @@ -206,16 +211,17 @@ ngx_http_range_header_filter(ngx_http_re } return ngx_http_range_multipart_header(r, ctx); - } + + case NGX_HTTP_RANGE_NOT_SATISFIABLE: + return ngx_http_range_not_satisfiable(r); - if (rc == NGX_HTTP_RANGE_NOT_SATISFIABLE) { - return ngx_http_range_not_satisfiable(r); + case NGX_ERROR: + return NGX_ERROR; + + default: /* NGX_DECLINED */ + break; } - /* rc == NGX_ERROR */ - - return rc; - next_filter: r->headers_out.accept_ranges = ngx_list_push(&r->headers_out.headers); @@ -231,15 +237,18 @@ next_filter: } -ngx_int_t -ngx_http_range_parse(ngx_http_request_t *r, ngx_http_range_filter_ctx_t *ctx) +static ngx_int_t +ngx_http_range_parse(ngx_http_request_t *r, ngx_http_range_filter_ctx_t *ctx, + ngx_uint_t ranges) { u_char *p; - off_t start, end; + off_t start, end, size, content_length; ngx_uint_t suffix; ngx_http_range_t *range; p = r->headers_in.range->value.data + 6; + size = 0; + content_length = r->headers_out.content_length_n; for ( ;; ) { start = 0; @@ -263,26 +272,11 @@ ngx_http_range_parse(ngx_http_request_t return NGX_HTTP_RANGE_NOT_SATISFIABLE; } - if (start >= r->headers_out.content_length_n) { - return NGX_HTTP_RANGE_NOT_SATISFIABLE; - } - while (*p == ' ') { p++; } if (*p == ',' || *p == '\0') { - range = ngx_array_push(&ctx->ranges); - if (range == NULL) { - return NGX_ERROR; - } - - range->start = start; - range->end = r->headers_out.content_length_n; - - if (*p++ != ',') { - return NGX_OK; - } - - continue; + end = content_length; + goto found; } } else { @@ -305,36 +299,49 @@ ngx_http_range_parse(ngx_http_request_t } if (suffix) { - start = r->headers_out.content_length_n - end; - end = r->headers_out.content_length_n - 1; + start = content_length - end; + end = content_length - 1; } - if (start > end) { - return NGX_HTTP_RANGE_NOT_SATISFIABLE; + if (end >= content_length) { + end = content_length; + + } else { + end++; } - range = ngx_array_push(&ctx->ranges); - if (range == NULL) { - return NGX_ERROR; - } + found: - range->start = start; + if (start < end) { + range = ngx_array_push(&ctx->ranges); + if (range == NULL) { + return NGX_ERROR; + } - if (end >= r->headers_out.content_length_n) { - /* - * Download Accelerator sends the last byte position - * that equals to the file length - */ - range->end = r->headers_out.content_length_n; + range->start = start; + range->end = end; - } else { - range->end = end + 1; + size += end - start; + + if (ranges-- == 0) { + return NGX_DECLINED; + } } if (*p++ != ',') { - return NGX_OK; + break; } } + + if (ctx->ranges.nelts == 0) { + return NGX_HTTP_RANGE_NOT_SATISFIABLE; + } + + if (size > content_length) { + return NGX_DECLINED; + } + + return NGX_OK; } diff --git a/src/http/ngx_http_core_module.c b/src/http/ngx_http_core_module.c --- a/src/http/ngx_http_core_module.c +++ b/src/http/ngx_http_core_module.c @@ -631,6 +631,13 @@ static ngx_command_t ngx_http_core_comm offsetof(ngx_http_core_loc_conf_t, if_modified_since), &ngx_http_core_if_modified_since }, + { ngx_string("max_ranges"), + NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1, + ngx_conf_set_num_slot, + NGX_HTTP_LOC_CONF_OFFSET, + offsetof(ngx_http_core_loc_conf_t, max_ranges), + NULL }, + { ngx_string("chunked_transfer_encoding"), NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1, ngx_conf_set_flag_slot, @@ -3253,6 +3260,7 @@ ngx_http_core_create_loc_conf(ngx_conf_t clcf->keepalive_disable = NGX_CONF_UNSET_UINT; clcf->satisfy = NGX_CONF_UNSET_UINT; clcf->if_modified_since = NGX_CONF_UNSET_UINT; + clcf->max_ranges = NGX_CONF_UNSET_UINT; clcf->client_body_in_file_only = NGX_CONF_UNSET_UINT; clcf->client_body_in_single_buffer = NGX_CONF_UNSET; clcf->internal = NGX_CONF_UNSET; @@ -3459,6 +3467,8 @@ ngx_http_core_merge_loc_conf(ngx_conf_t NGX_HTTP_SATISFY_ALL); ngx_conf_merge_uint_value(conf->if_modified_since, prev->if_modified_since, NGX_HTTP_IMS_EXACT); + ngx_conf_merge_uint_value(conf->max_ranges, prev->max_ranges, + 0x7fffffff); ngx_conf_merge_uint_value(conf->client_body_in_file_only, prev->client_body_in_file_only, 0); ngx_conf_merge_value(conf->client_body_in_single_buffer, diff --git a/src/http/ngx_http_core_module.h b/src/http/ngx_http_core_module.h --- a/src/http/ngx_http_core_module.h +++ b/src/http/ngx_http_core_module.h @@ -363,6 +363,7 @@ struct ngx_http_core_loc_conf_s { ngx_uint_t satisfy; /* satisfy */ ngx_uint_t lingering_close; /* lingering_close */ ngx_uint_t if_modified_since; /* if_modified_since */ + ngx_uint_t max_ranges; /* max_ranges */ ngx_uint_t client_body_in_file_only; /* client_body_in_file_only */ ngx_flag_t client_body_in_single_buffer;