mirror/nginx
1
0
Fork 0
mirror of https://github.com/nginx/nginx.git synced 2025-06-13 06:12:44 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

Win32: uris with ":$" are now rejected.

Browse Source 
There are too many problems with special NTFS streams, notably "::$data",
"::$index_allocation" and ":$i30:$index_allocation".

For now we don't reject all URIs with ":" like Apache does as there are no
good reasons seen yet, and there are multiple programs using it in URLs
(e.g. MediaWiki).
This commit is contained in:
Maxim Dounin 2012-06-05 13:38:27 +00:00
parent f83598a359
commit 0d7720ddc0
1 changed files with 22 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
src/http/ngx_http_request.c
View File

@ -812,7 +812,28 @@ ngx_http_process_request_line(ngx_event_t *rev)
#if (NGX_WIN32) #if (NGX_WIN32)
{ {
u_char *p; u_char *p, *last;
p = r->uri.data;
last = r->uri.data + r->uri.len;
while (p < last) {
if (*p++ == ':') {
/*
* this check covers "::$data", "::$index_allocation" and
* ":$i30:$index_allocation"
*/
if (p < last && *p == '$') {
ngx_log_error(NGX_LOG_INFO, c->log, 0,
"client sent unsafe win32 URI");
ngx_http_finalize_request(r, NGX_HTTP_BAD_REQUEST);
return;
}
}
}
p = r->uri.data + r->uri.len - 1; p = r->uri.data + r->uri.len - 1;
@ -828,11 +849,6 @@ ngx_http_process_request_line(ngx_event_t *rev)
continue; continue;
} }
if (ngx_strncasecmp(p - 6, (u_char *) "::$data", 7) == 0) {
p -= 7;
continue;
}
break; break;
} }