mirror/nginx
1
0
Fork 0
mirror of https://github.com/nginx/nginx.git synced 2024-12-13 02:39:00 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

check unsafe Destination

Browse Source
This commit is contained in:
Igor Sysoev 2009-09-25 09:30:06 +00:00
parent 7f6d71bbc8
commit a552ab476e
5 changed files with 18 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
src/http/modules/ngx_http_dav_module.c
View File

@ -516,8 +516,8 @@ ngx_http_dav_copy_move_handler(ngx_http_request_t *r)
size_t len, root; size_t len, root;
ngx_err_t err; ngx_err_t err;
ngx_int_t rc, depth; ngx_int_t rc, depth;
ngx_uint_t overwrite, slash, dir; ngx_uint_t overwrite, slash, dir, flags;
ngx_str_t path, uri; ngx_str_t path, uri, duri, args;
ngx_tree_ctx_t tree; ngx_tree_ctx_t tree;
ngx_copy_file_t cf; ngx_copy_file_t cf;
ngx_file_info_t fi; ngx_file_info_t fi;
@ -594,6 +594,14 @@ invalid_destination:
destination_done: destination_done:
duri.len = last - p;
duri.data = p;
flags = 0;
if (ngx_http_parse_unsafe_uri(r, &duri, &args, &flags) != NGX_OK) {
goto invalid_destination;
}
if ((r->uri.data[r->uri.len - 1] == '/' && *(last - 1) != '/') if ((r->uri.data[r->uri.len - 1] == '/' && *(last - 1) != '/')
|| (r->uri.data[r->uri.len - 1] != '/' && *(last - 1) == '/')) || (r->uri.data[r->uri.len - 1] != '/' && *(last - 1) == '/'))
{ {
@ -656,9 +664,7 @@ overwrite_done:
"http copy from: \"%s\"", path.data); "http copy from: \"%s\"", path.data);
uri = r->uri; uri = r->uri;
r->uri = duri;
r->uri.len = last - p;
r->uri.data = p;
ngx_http_map_uri_to_path(r, &copy.path, &root, 0); ngx_http_map_uri_to_path(r, &copy.path, &root, 0);

2
src/http/modules/ngx_http_ssi_filter_module.c
View File

@ -1908,7 +1908,7 @@ ngx_http_ssi_include(ngx_http_request_t *r, ngx_http_ssi_ctx_t *ctx,
args.len = 0; args.len = 0;
args.data = NULL; args.data = NULL;
flags = 0; flags = NGX_HTTP_LOG_UNSAFE;
if (ngx_http_parse_unsafe_uri(r, uri, &args, &flags) != NGX_OK) { if (ngx_http_parse_unsafe_uri(r, uri, &args, &flags) != NGX_OK) {
return NGX_HTTP_SSI_ERROR; return NGX_HTTP_SSI_ERROR;

2
src/http/ngx_http_parse.c
View File

@ -1322,8 +1322,10 @@ ngx_http_parse_unsafe_uri(ngx_http_request_t *r, ngx_str_t *uri,
unsafe: unsafe:
if (*flags & NGX_HTTP_LOG_UNSAFE) {
ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, ngx_log_error(NGX_LOG_ERR, r->connection->log, 0,
"unsafe URI \"%V\" was detected", uri); "unsafe URI \"%V\" was detected", uri);
}
return NGX_ERROR; return NGX_ERROR;
} }

1
src/http/ngx_http_request.h
View File

@ -60,6 +60,7 @@
#define NGX_HTTP_ZERO_IN_URI 1 #define NGX_HTTP_ZERO_IN_URI 1
#define NGX_HTTP_SUBREQUEST_IN_MEMORY 2 #define NGX_HTTP_SUBREQUEST_IN_MEMORY 2
#define NGX_HTTP_SUBREQUEST_WAITED 4 #define NGX_HTTP_SUBREQUEST_WAITED 4
#define NGX_HTTP_LOG_UNSAFE 8
#define NGX_HTTP_OK 200 #define NGX_HTTP_OK 200

2
src/http/ngx_http_upstream.c
View File

@ -1797,7 +1797,7 @@ ngx_http_upstream_process_headers(ngx_http_request_t *r, ngx_http_upstream_t *u)
uri = &u->headers_in.x_accel_redirect->value; uri = &u->headers_in.x_accel_redirect->value;
args.len = 0; args.len = 0;
args.data = NULL; args.data = NULL;
flags = 0; flags = NGX_HTTP_LOG_UNSAFE;
if (ngx_http_parse_unsafe_uri(r, uri, &args, &flags) != NGX_OK) { if (ngx_http_parse_unsafe_uri(r, uri, &args, &flags) != NGX_OK) {
ngx_http_finalize_request(r, NGX_HTTP_NOT_FOUND); ngx_http_finalize_request(r, NGX_HTTP_NOT_FOUND);