nginx 400 error when username included in the uri

Michael Ching michaelc at wush.net
Sat Aug 23 14:15:39 MSD 2008 

Michael Ching wrote:
> Igor Sysoev wrote:
>> This patch ignores  user only in "http://user@host".
>> Should password in "http://user:password@host" be ignored too ?  
We modified the patch we are using so that usernames with characters 
illegal in a hostname are allowed (for example GET 
http://username+tag@email.com@example.com/), however we decided against 
trying to extend the code to handle username:password to avoid breaking 
anything related to parsing of the port number.

If we see one illegal character, instead of returning an error right 
away we go to a new state.  Then, if we encounter an "@" we assume 
everything prior was a username, and move the host_start pointer forward 
and go back to the sw_host state.  Otherwise, if we encounter anything 
that would normally indicate the end of the sw_host state before seeing 
an "@", we return the default 400 error.

The downside to this patch is that parsing becomes a lot more permissive 
instead of having only explicitly allowed characters in the state 
machine.  Hopefully this is helpful for anyone else proxying SVN for Xcode.


*** nginx-0.5.37/src/http/ngx_http_parse.c      2008-01-08 
11:23:25.000000000 -0600
--- nginx-0.5.37-new/src/http/ngx_http_parse.c  2008-08-23 
04:47:37.000000000 -0500
***************
*** 111,116 ****
--- 111,117 ----
          sw_schema_slash,
          sw_schema_slash_slash,
          sw_host,
+         sw_host_illegal_character,
          sw_port,
          sw_after_slash_in_uri,
          sw_check_uri,
***************
*** 355,361 ****
--- 356,385 ----
                  r->uri_end = r->schema_end + 2;
                  state = sw_http_09;
                  break;
+             case '@':
+                 r->host_start = p + 1;
+                 break;
              default:
+                 state = sw_host_illegal_character;
+                 break;
+             }
+             break;
+
+         case sw_host_illegal_character:
+             /*
+              * if we see an @ somewhere before the hostname we can assume
+              * the illegal characters were part of a username and ignore
+              */
+
+             switch (ch) {
+             case '@':
+                 r->host_start = p + 1;
+                 state = sw_host;
+                 break;
+             case '/':
+             case ' ':
+             case CR:
+             case LF:
                  return NGX_HTTP_PARSE_INVALID_REQUEST;
              }
              break;

More information about the nginx mailing list