[nginx] Detect more unsafe URIs in ngx_http_parse_unsafe_uri().
Ruslan Ermilov
ru at nginx.com
Mon Dec 23 14:12:43 UTC 2013
details: http://hg.nginx.org/nginx/rev/b141a7627ac6
branches:
changeset: 5490:b141a7627ac6
user: Ruslan Ermilov <ru at nginx.com>
date: Mon Dec 23 18:11:56 2013 +0400
description:
Detect more unsafe URIs in ngx_http_parse_unsafe_uri().
The following URIs were considered safe: "..", "../foo", and "/foo/..".
diffstat:
src/http/ngx_http_parse.c | 10 +++++++---
1 files changed, 7 insertions(+), 3 deletions(-)
diffs (28 lines):
diff -r 6d357b2a9d6e -r b141a7627ac6 src/http/ngx_http_parse.c
--- a/src/http/ngx_http_parse.c Mon Dec 23 18:11:46 2013 +0400
+++ b/src/http/ngx_http_parse.c Mon Dec 23 18:11:56 2013 +0400
@@ -1790,7 +1790,9 @@ ngx_http_parse_unsafe_uri(ngx_http_reque
goto unsafe;
}
- if (p[0] == '.' && len == 3 && p[1] == '.' && (ngx_path_separator(p[2]))) {
+ if (p[0] == '.' && len > 1 && p[1] == '.'
+ && (len == 2 || ngx_path_separator(p[2])))
+ {
goto unsafe;
}
@@ -1816,9 +1818,11 @@ ngx_http_parse_unsafe_uri(ngx_http_reque
if (ngx_path_separator(ch) && len > 2) {
- /* detect "/../" */
+ /* detect "/../" and "/.." */
- if (p[0] == '.' && p[1] == '.' && ngx_path_separator(p[2])) {
+ if (p[0] == '.' && p[1] == '.'
+ && (len == 3 || ngx_path_separator(p[2])))
+ {
goto unsafe;
}
}
More information about the nginx-devel
mailing list