mdounin at mdounin.ru
Sat Oct 16 21:18:08 MSD 2010
[sorry for long delay, I had no time to review the patch]
On Sun, Oct 03, 2010 at 10:11:58AM -0400, rovervr wrote:
> This is the last version of the patch for version 0.8.52 which is now
> live on our production servers for several days without any flaws.
> The escaping takes place at ngx_http_parse_unsafe_uri() as Maxim
This patch is wrong. It will unescape query string as well, which
is expected to remain escaped. Additionaly, at least "../" unsafe
check should be reconsidered after unescaping.
More information about the nginx