[nginx] Detect more unsafe URIs in ngx_http_parse_unsafe_uri().

Ruslan Ermilov ru at nginx.com
Mon Dec 23 14:12:43 UTC 2013


details:   http://hg.nginx.org/nginx/rev/b141a7627ac6
branches:  
changeset: 5490:b141a7627ac6
user:      Ruslan Ermilov <ru at nginx.com>
date:      Mon Dec 23 18:11:56 2013 +0400
description:
Detect more unsafe URIs in ngx_http_parse_unsafe_uri().

The following URIs were considered safe: "..", "../foo", and "/foo/..".

diffstat:

 src/http/ngx_http_parse.c |  10 +++++++---
 1 files changed, 7 insertions(+), 3 deletions(-)

diffs (28 lines):

diff -r 6d357b2a9d6e -r b141a7627ac6 src/http/ngx_http_parse.c
--- a/src/http/ngx_http_parse.c	Mon Dec 23 18:11:46 2013 +0400
+++ b/src/http/ngx_http_parse.c	Mon Dec 23 18:11:56 2013 +0400
@@ -1790,7 +1790,9 @@ ngx_http_parse_unsafe_uri(ngx_http_reque
         goto unsafe;
     }
 
-    if (p[0] == '.' && len == 3 && p[1] == '.' && (ngx_path_separator(p[2]))) {
+    if (p[0] == '.' && len > 1 && p[1] == '.'
+        && (len == 2 || ngx_path_separator(p[2])))
+    {
         goto unsafe;
     }
 
@@ -1816,9 +1818,11 @@ ngx_http_parse_unsafe_uri(ngx_http_reque
 
         if (ngx_path_separator(ch) && len > 2) {
 
-            /* detect "/../" */
+            /* detect "/../" and "/.." */
 
-            if (p[0] == '.' && p[1] == '.' && ngx_path_separator(p[2])) {
+            if (p[0] == '.' && p[1] == '.'
+                && (len == 3 || ngx_path_separator(p[2])))
+            {
                 goto unsafe;
             }
         }



More information about the nginx-devel mailing list