mirror of
https://github.com/nginx/nginx.git
synced 2024-12-12 02:09:04 +08:00
Disabled spaces in URIs (ticket #196).
From now on, requests with spaces in URIs are immediately rejected rather than allowed. Spaces were allowed in 31e9677b15a1 (0.8.41) to handle bad clients. It is believed that now this behaviour causes more harm than good.
This commit is contained in:
parent
fee09fc49d
commit
05395f4889
@ -1186,7 +1186,7 @@ ngx_http_proxy_create_key(ngx_http_request_t *r)
|
|||||||
|
|
||||||
loc_len = (r->valid_location && ctx->vars.uri.len) ? plcf->location.len : 0;
|
loc_len = (r->valid_location && ctx->vars.uri.len) ? plcf->location.len : 0;
|
||||||
|
|
||||||
if (r->quoted_uri || r->space_in_uri || r->internal) {
|
if (r->quoted_uri || r->internal) {
|
||||||
escape = 2 * ngx_escape_uri(NULL, r->uri.data + loc_len,
|
escape = 2 * ngx_escape_uri(NULL, r->uri.data + loc_len,
|
||||||
r->uri.len - loc_len, NGX_ESCAPE_URI);
|
r->uri.len - loc_len, NGX_ESCAPE_URI);
|
||||||
} else {
|
} else {
|
||||||
@ -1299,7 +1299,7 @@ ngx_http_proxy_create_request(ngx_http_request_t *r)
|
|||||||
loc_len = (r->valid_location && ctx->vars.uri.len) ?
|
loc_len = (r->valid_location && ctx->vars.uri.len) ?
|
||||||
plcf->location.len : 0;
|
plcf->location.len : 0;
|
||||||
|
|
||||||
if (r->quoted_uri || r->space_in_uri || r->internal) {
|
if (r->quoted_uri || r->internal) {
|
||||||
escape = 2 * ngx_escape_uri(NULL, r->uri.data + loc_len,
|
escape = 2 * ngx_escape_uri(NULL, r->uri.data + loc_len,
|
||||||
r->uri.len - loc_len, NGX_ESCAPE_URI);
|
r->uri.len - loc_len, NGX_ESCAPE_URI);
|
||||||
}
|
}
|
||||||
|
@ -116,10 +116,8 @@ ngx_http_parse_request_line(ngx_http_request_t *r, ngx_buf_t *b)
|
|||||||
sw_host_end,
|
sw_host_end,
|
||||||
sw_host_ip_literal,
|
sw_host_ip_literal,
|
||||||
sw_port,
|
sw_port,
|
||||||
sw_host_http_09,
|
|
||||||
sw_after_slash_in_uri,
|
sw_after_slash_in_uri,
|
||||||
sw_check_uri,
|
sw_check_uri,
|
||||||
sw_check_uri_http_09,
|
|
||||||
sw_uri,
|
sw_uri,
|
||||||
sw_http_09,
|
sw_http_09,
|
||||||
sw_http_H,
|
sw_http_H,
|
||||||
@ -398,7 +396,7 @@ ngx_http_parse_request_line(ngx_http_request_t *r, ngx_buf_t *b)
|
|||||||
*/
|
*/
|
||||||
r->uri_start = r->schema_end + 1;
|
r->uri_start = r->schema_end + 1;
|
||||||
r->uri_end = r->schema_end + 2;
|
r->uri_end = r->schema_end + 2;
|
||||||
state = sw_host_http_09;
|
state = sw_http_09;
|
||||||
break;
|
break;
|
||||||
default:
|
default:
|
||||||
return NGX_HTTP_PARSE_INVALID_REQUEST;
|
return NGX_HTTP_PARSE_INVALID_REQUEST;
|
||||||
@ -472,35 +470,13 @@ ngx_http_parse_request_line(ngx_http_request_t *r, ngx_buf_t *b)
|
|||||||
*/
|
*/
|
||||||
r->uri_start = r->schema_end + 1;
|
r->uri_start = r->schema_end + 1;
|
||||||
r->uri_end = r->schema_end + 2;
|
r->uri_end = r->schema_end + 2;
|
||||||
state = sw_host_http_09;
|
state = sw_http_09;
|
||||||
break;
|
break;
|
||||||
default:
|
default:
|
||||||
return NGX_HTTP_PARSE_INVALID_REQUEST;
|
return NGX_HTTP_PARSE_INVALID_REQUEST;
|
||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
|
|
||||||
/* space+ after "http://host[:port] " */
|
|
||||||
case sw_host_http_09:
|
|
||||||
switch (ch) {
|
|
||||||
case ' ':
|
|
||||||
break;
|
|
||||||
case CR:
|
|
||||||
r->http_minor = 9;
|
|
||||||
state = sw_almost_done;
|
|
||||||
break;
|
|
||||||
case LF:
|
|
||||||
r->http_minor = 9;
|
|
||||||
goto done;
|
|
||||||
case 'H':
|
|
||||||
r->http_protocol.data = p;
|
|
||||||
state = sw_http_H;
|
|
||||||
break;
|
|
||||||
default:
|
|
||||||
return NGX_HTTP_PARSE_INVALID_REQUEST;
|
|
||||||
}
|
|
||||||
break;
|
|
||||||
|
|
||||||
|
|
||||||
/* check "/.", "//", "%", and "\" (Win32) in URI */
|
/* check "/.", "//", "%", and "\" (Win32) in URI */
|
||||||
case sw_after_slash_in_uri:
|
case sw_after_slash_in_uri:
|
||||||
|
|
||||||
@ -512,7 +488,7 @@ ngx_http_parse_request_line(ngx_http_request_t *r, ngx_buf_t *b)
|
|||||||
switch (ch) {
|
switch (ch) {
|
||||||
case ' ':
|
case ' ':
|
||||||
r->uri_end = p;
|
r->uri_end = p;
|
||||||
state = sw_check_uri_http_09;
|
state = sw_http_09;
|
||||||
break;
|
break;
|
||||||
case CR:
|
case CR:
|
||||||
r->uri_end = p;
|
r->uri_end = p;
|
||||||
@ -584,7 +560,7 @@ ngx_http_parse_request_line(ngx_http_request_t *r, ngx_buf_t *b)
|
|||||||
break;
|
break;
|
||||||
case ' ':
|
case ' ':
|
||||||
r->uri_end = p;
|
r->uri_end = p;
|
||||||
state = sw_check_uri_http_09;
|
state = sw_http_09;
|
||||||
break;
|
break;
|
||||||
case CR:
|
case CR:
|
||||||
r->uri_end = p;
|
r->uri_end = p;
|
||||||
@ -621,31 +597,6 @@ ngx_http_parse_request_line(ngx_http_request_t *r, ngx_buf_t *b)
|
|||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
|
|
||||||
/* space+ after URI */
|
|
||||||
case sw_check_uri_http_09:
|
|
||||||
switch (ch) {
|
|
||||||
case ' ':
|
|
||||||
break;
|
|
||||||
case CR:
|
|
||||||
r->http_minor = 9;
|
|
||||||
state = sw_almost_done;
|
|
||||||
break;
|
|
||||||
case LF:
|
|
||||||
r->http_minor = 9;
|
|
||||||
goto done;
|
|
||||||
case 'H':
|
|
||||||
r->http_protocol.data = p;
|
|
||||||
state = sw_http_H;
|
|
||||||
break;
|
|
||||||
default:
|
|
||||||
r->space_in_uri = 1;
|
|
||||||
state = sw_check_uri;
|
|
||||||
p--;
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
break;
|
|
||||||
|
|
||||||
|
|
||||||
/* URI */
|
/* URI */
|
||||||
case sw_uri:
|
case sw_uri:
|
||||||
|
|
||||||
@ -692,10 +643,7 @@ ngx_http_parse_request_line(ngx_http_request_t *r, ngx_buf_t *b)
|
|||||||
state = sw_http_H;
|
state = sw_http_H;
|
||||||
break;
|
break;
|
||||||
default:
|
default:
|
||||||
r->space_in_uri = 1;
|
return NGX_HTTP_PARSE_INVALID_REQUEST;
|
||||||
state = sw_uri;
|
|
||||||
p--;
|
|
||||||
break;
|
|
||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
|
|
||||||
@ -1171,9 +1119,7 @@ ngx_http_parse_uri(ngx_http_request_t *r)
|
|||||||
|
|
||||||
switch (ch) {
|
switch (ch) {
|
||||||
case ' ':
|
case ' ':
|
||||||
r->space_in_uri = 1;
|
return NGX_ERROR;
|
||||||
state = sw_check_uri;
|
|
||||||
break;
|
|
||||||
case '.':
|
case '.':
|
||||||
r->complex_uri = 1;
|
r->complex_uri = 1;
|
||||||
state = sw_uri;
|
state = sw_uri;
|
||||||
@ -1232,8 +1178,7 @@ ngx_http_parse_uri(ngx_http_request_t *r)
|
|||||||
r->uri_ext = p + 1;
|
r->uri_ext = p + 1;
|
||||||
break;
|
break;
|
||||||
case ' ':
|
case ' ':
|
||||||
r->space_in_uri = 1;
|
return NGX_ERROR;
|
||||||
break;
|
|
||||||
#if (NGX_WIN32)
|
#if (NGX_WIN32)
|
||||||
case '\\':
|
case '\\':
|
||||||
r->complex_uri = 1;
|
r->complex_uri = 1;
|
||||||
@ -1267,8 +1212,7 @@ ngx_http_parse_uri(ngx_http_request_t *r)
|
|||||||
|
|
||||||
switch (ch) {
|
switch (ch) {
|
||||||
case ' ':
|
case ' ':
|
||||||
r->space_in_uri = 1;
|
return NGX_ERROR;
|
||||||
break;
|
|
||||||
case '#':
|
case '#':
|
||||||
r->complex_uri = 1;
|
r->complex_uri = 1;
|
||||||
break;
|
break;
|
||||||
|
@ -1264,7 +1264,7 @@ ngx_http_process_request_uri(ngx_http_request_t *r)
|
|||||||
r->unparsed_uri.len = r->uri_end - r->uri_start;
|
r->unparsed_uri.len = r->uri_end - r->uri_start;
|
||||||
r->unparsed_uri.data = r->uri_start;
|
r->unparsed_uri.data = r->uri_start;
|
||||||
|
|
||||||
r->valid_unparsed_uri = (r->space_in_uri || r->empty_path_in_uri) ? 0 : 1;
|
r->valid_unparsed_uri = r->empty_path_in_uri ? 0 : 1;
|
||||||
|
|
||||||
if (r->uri_ext) {
|
if (r->uri_ext) {
|
||||||
if (r->args_start) {
|
if (r->args_start) {
|
||||||
|
@ -468,9 +468,6 @@ struct ngx_http_request_s {
|
|||||||
/* URI with "+" */
|
/* URI with "+" */
|
||||||
unsigned plus_in_uri:1;
|
unsigned plus_in_uri:1;
|
||||||
|
|
||||||
/* URI with " " */
|
|
||||||
unsigned space_in_uri:1;
|
|
||||||
|
|
||||||
/* URI with empty path */
|
/* URI with empty path */
|
||||||
unsigned empty_path_in_uri:1;
|
unsigned empty_path_in_uri:1;
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user