mirror/nginx
1
0
Fork 0
mirror of https://github.com/nginx/nginx.git synced 2025-06-08 02:02:38 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

Detect more unsafe URIs in ngx_http_parse_unsafe_uri().

Browse Source 
The following URIs were considered safe: "..", "../foo", and "/foo/..".
This commit is contained in:
Ruslan Ermilov 2013-12-23 18:11:56 +04:00
parent 3f36c684a1
commit 336bcb22d1
1 changed files with 7 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
src/http/ngx_http_parse.c
View File

@ -1790,7 +1790,9 @@ ngx_http_parse_unsafe_uri(ngx_http_request_t *r, ngx_str_t *uri,
goto unsafe; goto unsafe;
} }
if (p[0] == '.' && len == 3 && p[1] == '.' && (ngx_path_separator(p[2]))) { if (p[0] == '.' && len > 1 && p[1] == '.'
&& (len == 2 || ngx_path_separator(p[2])))
{
goto unsafe; goto unsafe;
} }
@ -1816,9 +1818,11 @@ ngx_http_parse_unsafe_uri(ngx_http_request_t *r, ngx_str_t *uri,
if (ngx_path_separator(ch) && len > 2) { if (ngx_path_separator(ch) && len > 2) {
/* detect "/../" */ /* detect "/../" and "/.." */
if (p[0] == '.' && p[1] == '.' && ngx_path_separator(p[2])) { if (p[0] == '.' && p[1] == '.'
&& (len == 3 || ngx_path_separator(p[2])))
{
goto unsafe; goto unsafe;
} }
} }