Merge 0ae6ece357 into 5b8a5c08ce

2025-06-17 17:20:42 +08:00 · 2025-05-30 00:17:40 +10:00 · 2025-05-30 00:17:40 +10:00 · 2cf34697df
commit 2cf34697df
parent 5b8a5c08ce 0ae6ece357
4 changed files with 36 additions and 23 deletions
--- a/src/core/ngx_string.c
+++ b/src/core/ngx_string.c
@ -1565,6 +1565,26 @@ ngx_escape_uri(u_char *dst, u_char *src, size_t size, ngx_uint_t type)
                    /*  ~}| {zyx wvut srqp  onml kjih gfed cba` */
        0xb8000001, /* 1011 1000 0000 0000  0000 0000 0000 0001 */
        0xffffffff, /* 1111 1111 1111 1111  1111 1111 1111 1111 */
        0xffffffff, /* 1111 1111 1111 1111  1111 1111 1111 1111 */
        0xffffffff, /* 1111 1111 1111 1111  1111 1111 1111 1111 */
        0xffffffff  /* 1111 1111 1111 1111  1111 1111 1111 1111 */
    };
                    /* " ", "#", "%", "?", not allowed */
    static uint32_t   uri_path[] = {
        0xffffffff, /* 1111 1111 1111 1111  1111 1111 1111 1111 */
                    /* ?>=< ;:98 7654 3210  /.-, +*)( '&%$ #"!  */
        0xd800002d, /* 1101 1000 0000 0000  0000 0000 0010 1101 */
                    /* _^]\ [ZYX WVUT SRQP  ONML KJIH GFED CBA@ */
        0x50000000, /* 0101 0000 0000 0000  0000 0000 0000 0000 */
                    /*  ~}| {zyx wvut srqp  onml kjih gfed cba` */
        0xb8000001, /* 1011 1000 0000 0000  0000 0000 0000 0001 */
        0xffffffff, /* 1111 1111 1111 1111  1111 1111 1111 1111 */
        0xffffffff, /* 1111 1111 1111 1111  1111 1111 1111 1111 */
        0xffffffff, /* 1111 1111 1111 1111  1111 1111 1111 1111 */
@ -1634,7 +1654,7 @@ ngx_escape_uri(u_char *dst, u_char *src, size_t size, ngx_uint_t type)
                    /* mail_auth is the same as memcached */
    static uint32_t  *map[] =
-        { uri, args, uri_component, html, refresh, memcached, memcached };
+        { uri, args, uri_component, html, refresh, memcached, memcached, uri_path };
    escape = map[type];
--- a/src/core/ngx_string.h
+++ b/src/core/ngx_string.h
@ -203,6 +203,7 @@ u_char *ngx_utf8_cpystrn(u_char *dst, u_char *src, size_t n, size_t len);
 #define NGX_ESCAPE_REFRESH        4
 #define NGX_ESCAPE_MEMCACHED      5
 #define NGX_ESCAPE_MAIL_AUTH      6
 #define NGX_ESCAPE_URI_PATH       7
 #define NGX_UNESCAPE_URI       1
 #define NGX_UNESCAPE_REDIRECT  2
--- a/src/http/modules/ngx_http_proxy_module.c
+++ b/src/http/modules/ngx_http_proxy_module.c
@ -1208,12 +1208,8 @@ ngx_http_proxy_create_key(ngx_http_request_t *r)
    loc_len = (r->valid_location && ctx->vars.uri.len) ? plcf->location.len : 0;
    if (r->quoted_uri || r->internal) {
    escape = 2 * ngx_escape_uri(NULL, r->uri.data + loc_len,
-                                    r->uri.len - loc_len, NGX_ESCAPE_URI);
+                                r->uri.len - loc_len, NGX_ESCAPE_URI_PATH);
    } else {
        escape = 0;
    }
    len = ctx->vars.uri.len + r->uri.len - loc_len + escape
          + sizeof("?") - 1 + r->args.len;
@ -1231,7 +1227,7 @@ ngx_http_proxy_create_key(ngx_http_request_t *r)
    if (escape) {
        ngx_escape_uri(p, r->uri.data + loc_len,
-                       r->uri.len - loc_len, NGX_ESCAPE_URI);
+                       r->uri.len - loc_len, NGX_ESCAPE_URI_PATH);
        p += r->uri.len - loc_len + escape;
    } else {
@ -1321,10 +1317,8 @@ ngx_http_proxy_create_request(ngx_http_request_t *r)
        loc_len = (r->valid_location && ctx->vars.uri.len) ?
                      plcf->location.len : 0;
        if (r->quoted_uri || r->internal) {
        escape = 2 * ngx_escape_uri(NULL, r->uri.data + loc_len,
-                                        r->uri.len - loc_len, NGX_ESCAPE_URI);
+                                    r->uri.len - loc_len, NGX_ESCAPE_URI_PATH);
        }
        uri_len = ctx->vars.uri.len + r->uri.len - loc_len + escape
                  + sizeof("?") - 1 + r->args.len;
@ -1448,7 +1442,7 @@ ngx_http_proxy_create_request(ngx_http_request_t *r)
        if (escape) {
            ngx_escape_uri(b->last, r->uri.data + loc_len,
-                           r->uri.len - loc_len, NGX_ESCAPE_URI);
+                           r->uri.len - loc_len, NGX_ESCAPE_URI_PATH);
            b->last += r->uri.len - loc_len + escape;
        } else {
--- a/src/http/ngx_http_parse.c
+++ b/src/http/ngx_http_parse.c
@ -1295,7 +1295,7 @@ ngx_http_parse_complex_uri(ngx_http_request_t *r, ngx_uint_t merge_slashes)
            switch (ch) {
 #if (NGX_WIN32)
            case '\\':
-                if (u - 2 >= r->uri.data
+                if (u - r->uri.data >= 2
                    && *(u - 1) == '.' && *(u - 2) != '.')
                {
                    u--;
@ -1319,7 +1319,7 @@ ngx_http_parse_complex_uri(ngx_http_request_t *r, ngx_uint_t merge_slashes)
 #endif
            case '/':
 #if (NGX_WIN32)
-                if (u - 2 >= r->uri.data
+                if (u - r->uri.data >= 2
                    && *(u - 1) == '.' && *(u - 2) != '.')
                {
                    u--;
@ -1457,13 +1457,12 @@ ngx_http_parse_complex_uri(ngx_http_request_t *r, ngx_uint_t merge_slashes)
            case '/':
            case '?':
            case '#':
-                u -= 4;
+                u -= 3;
                for ( ;; ) {
-                    if (u < r->uri.data) {
+                    if (u <= r->uri.data) {
                        return NGX_HTTP_PARSE_INVALID_REQUEST;
                    }
-                    if (*u == '/') {
+                    if (u[-1] == '/') {
                        u++;
                        break;
                    }
                    u--;
@ -1561,15 +1560,14 @@ ngx_http_parse_complex_uri(ngx_http_request_t *r, ngx_uint_t merge_slashes)
        u--;
    } else if (state == sw_dot_dot) {
-        u -= 4;
+        u -= 3;
        for ( ;; ) {
-            if (u < r->uri.data) {
+            if (u <= r->uri.data) {
                return NGX_HTTP_PARSE_INVALID_REQUEST;
            }
-            if (*u == '/') {
+            if (u[-1] == '/') {
                u++;
                break;
            }