From 336bcb22d19ff67a696a2a8a3aaa1210169ecdc7 Mon Sep 17 00:00:00 2001
From: Ruslan Ermilov <ru@nginx.com>
Date: Mon, 23 Dec 2013 18:11:56 +0400
Subject: [PATCH] Detect more unsafe URIs in ngx_http_parse_unsafe_uri().

The following URIs were considered safe: "..", "../foo", and "/foo/..".
---
 src/http/ngx_http_parse.c | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/src/http/ngx_http_parse.c b/src/http/ngx_http_parse.c
index cf89b8cfe..a895a8958 100644
--- a/src/http/ngx_http_parse.c
+++ b/src/http/ngx_http_parse.c
@@ -1790,7 +1790,9 @@ ngx_http_parse_unsafe_uri(ngx_http_request_t *r, ngx_str_t *uri,
         goto unsafe;
     }
 
-    if (p[0] == '.' && len == 3 && p[1] == '.' && (ngx_path_separator(p[2]))) {
+    if (p[0] == '.' && len > 1 && p[1] == '.'
+        && (len == 2 || ngx_path_separator(p[2])))
+    {
         goto unsafe;
     }
 
@@ -1816,9 +1818,11 @@ ngx_http_parse_unsafe_uri(ngx_http_request_t *r, ngx_str_t *uri,
 
         if (ngx_path_separator(ch) && len > 2) {
 
-            /* detect "/../" */
+            /* detect "/../" and "/.." */
 
-            if (p[0] == '.' && p[1] == '.' && ngx_path_separator(p[2])) {
+            if (p[0] == '.' && p[1] == '.'
+                && (len == 3 || ngx_path_separator(p[2])))
+            {
                 goto unsafe;
             }
         }