Valentin Bartenev
9197a3c874
Parenthesized ASCII-related calculations.
...
This also fixes potential undefined behaviour in the range and slice filter
modules, caused by local overflows of signed integers in expressions.
2017-07-17 17:23:51 +03:00
Maxim Dounin
8449f750e6
Added missing "fall through" comments (ticket #1259 ).
...
Found by gcc7 (-Wimplicit-fallthrough).
2017-04-27 16:57:18 +03:00
Ruslan Ermilov
8ae2bc9320
Don't pretend we support HTTP major versions >1 as HTTP/1.1.
2017-04-25 23:39:13 +03:00
Maxim Dounin
82ec849271
Allowed '-' in method names.
...
It is used at least by SOAP (M-POST method, defined by RFC 2774) and
by WebDAV versioning (VERSION-CONTROL and BASELINE-CONTROL methods,
defined by RFC 3253).
2016-10-10 16:24:50 +03:00
Sergey Kandaurov
6299f5e914
Avoid left-shifting integers into the sign bit, which is undefined.
...
Found with UndefinedBehaviorSanitizer.
2016-07-07 21:02:28 +03:00
Maxim Dounin
e647c47f2a
Added overflow checks for version numbers (ticket #762 ).
...
Both minor and major versions are now limited to 999 maximum. In case of
r->http_minor, this limit is already implied by the code. Major version,
r->http_major, in theory can be up to 65535 with current code, but such
values are very unlikely to become real (and, additionally, such values
are not allowed by RFC 7230), so the same test was used for r->http_major.
2016-05-18 16:21:32 +03:00
Ruslan Ermilov
4fe0a09942
Overflow detection in ngx_http_parse_chunked().
2015-03-17 00:26:27 +03:00
Piotr Sikora
7e7589e746
Style: add whitespace between control statement and parentheses.
...
Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2014-07-08 03:03:13 -07:00
Vladimir Homutov
ed6780aaf1
Upstream: added the "$upstream_cookie_<name>" variables.
2014-04-29 12:28:41 +04:00
Piotr Sikora
ac1617915c
Apply underscores_in_headers also to the first character.
...
Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2014-03-24 16:35:44 -07:00
Ruslan Ermilov
f7ff5e65d0
Teach ngx_http_parse_unsafe_uri() how to unescape URIs.
...
This fixes handling of escaped URIs in X-Accel-Redirect (ticket #316 ),
SSI (ticket #240 ), and DAV.
2013-12-23 18:12:00 +04:00
Ruslan Ermilov
336bcb22d1
Detect more unsafe URIs in ngx_http_parse_unsafe_uri().
...
The following URIs were considered safe: "..", "../foo", and "/foo/..".
2013-12-23 18:11:56 +04:00
Ruslan Ermilov
d47c435e9e
Proper backtracking after space in a request line.
2013-11-19 06:57:58 +04:00
Maxim Dounin
0a6efeee71
Minor ngx_http_parse_request_line() optimization.
...
Noted by Nils Kuhnhenn.
2013-08-21 12:51:31 +04:00
Maxim Dounin
88fc0f793e
Fixed ngx_http_parse_chunked() minimal length calculation.
...
Minimal data length we expect for further calls was calculated incorrectly
if parsing stopped right after parsing chunk size. This might in theory
affect clients and/or backends using LF instead of CRLF.
Patch by Dmitry Popov.
2013-06-28 13:55:05 +04:00
Maxim Dounin
dc5c6928fb
Fixed debug logging in ngx_http_parse_complex_uri().
...
The *u previously logged isn't yet initialized at this point, and
Valgrind complains.
2013-06-05 19:45:08 +04:00
Maxim Dounin
818807d71e
Fixed chunk size parsing.
2013-05-06 14:03:24 +04:00
Valentin Bartenev
2686cb4452
Preliminary experimental support for SPDY draft 2.
2013-03-20 10:36:57 +00:00
Maxim Dounin
6ddf23bdc4
Request body: adjust b->pos when chunked parsing done.
...
This is a nop for the current code, though will allow to correctly parse
pipelined requests.
2012-11-21 01:02:56 +00:00
Maxim Dounin
df74d88156
Request body: chunked parsing moved to ngx_http_parse.c from proxy.
...
No functional changes.
2012-11-21 00:59:16 +00:00
Maxim Dounin
f83598a359
Win32: normalization of trailing dot inside uri.
...
Windows treats "/directory./" identical to "/directory/". Do the same
when working on Windows. Note that the behaviour is different from one
with last path component (where multiple spaces and dots are ignored by
Windows).
2012-06-05 13:37:29 +00:00
Ruslan Ermilov
47a04aaa27
Fixed spelling in multiline C comments.
2012-04-03 07:37:31 +00:00
Maxim Konovalov
acf6c79ac7
For the sake of case/switch code readability, 'fall through'
...
comments added.
2012-03-19 14:57:29 +00:00
Maxim Dounin
d1ed97b18b
Headers with null character are now rejected.
...
Headers with NUL character aren't allowed by HTTP standard and may cause
various security problems. They are now unconditionally rejected.
2012-03-15 11:27:57 +00:00
Maxim Konovalov
f8d59e33f3
Copyright updated.
2012-01-18 15:07:43 +00:00
Valentin Bartenev
1373558163
Added support for IP-literal in the Host header and request line (ticket #1 ).
...
Additional parsing logic added to correctly handle RFC 3986 compliant IPv6 and
IPvFuture characters enclosed in square brackets.
The host validation was completely rewritten. The behavior for non IP literals
was changed in a more proper and safer way:
- Host part is now delimited either by the first colon or by the end of string
if there's no colon. Previously the last colon was used as delimiter which
allowed substitution of a port number in the $host variable.
(e.g. Host: 127.0.0.1:9000:80)
- Fixed stripping of the ending dot in the Host header when the host was also
followed by a port number.
(e.g. Host: nginx.com.:80)
- Fixed upper case characters detection. Previously it was broken which led to
wasting memory and CPU.
2011-11-28 09:15:33 +00:00
Maxim Dounin
f2fcf11b25
Protocol version parsing in ngx_http_parse_status_line().
...
Once we know protocol version, set u->headers_in.connection_close to indicate
implicitly assumed connection close with HTTP before 1.1.
2011-09-15 19:22:35 +00:00
Igor Sysoev
aa6936e61a
style fix
2010-06-23 16:34:54 +00:00
Igor Sysoev
0aae446c7c
ngx_http_parse_status_line()
2010-06-15 15:13:34 +00:00
Igor Sysoev
da7b5e15de
allow spaces in URI
2010-06-15 09:31:19 +00:00
Igor Sysoev
ea16b14cc5
PATCH method
2010-06-10 11:08:28 +00:00
Igor Sysoev
4cf7f2727d
fix "/dir/%3F../" and "/dir/%23../" cases
2010-06-04 16:05:55 +00:00
Igor Sysoev
de0b1d6f12
remove r->zero_in_uri
2010-05-24 12:35:10 +00:00
Igor Sysoev
a552ab476e
check unsafe Destination
2009-09-25 09:30:06 +00:00
Igor Sysoev
97aa4c86a1
handle "/../" case more reliably
2009-09-14 07:42:01 +00:00
Igor Sysoev
63494b4c79
discrease slightly ngx_http_parse_header_line() size:
...
this line is not required for LF, however, this case is very seldom
2009-09-02 07:02:49 +00:00
Igor Sysoev
2e9ea35fd7
fix segfault when a header starts with "\rX"
...
and logging is set to info or debug level
2009-09-01 12:32:37 +00:00
Igor Sysoev
55d47a81a9
do not test "..." case since it's Win9x family feature only
2009-07-20 12:23:04 +00:00
Igor Sysoev
df4b230ede
allow underscore in request method
2009-07-13 09:33:34 +00:00
Igor Sysoev
bf14b000e6
ngx_path_separator()
2009-04-23 16:38:59 +00:00
Igor Sysoev
1dcaa97ccc
refactor ngx_http_arg() using ngx_strcasestrn(),
...
back out zero termination introduced in r2138
2009-04-04 17:51:38 +00:00
Igor Sysoev
f072a02ec5
fix r2579
2009-03-30 14:15:47 +00:00
Igor Sysoev
9bc41a4281
style fix: remove tabs
2009-03-22 15:50:07 +00:00
Igor Sysoev
2c7cb55ac1
ngx_http_split_args()
2009-03-19 13:41:29 +00:00
Igor Sysoev
84d17bba65
ngx_http_arg()
2008-12-22 12:02:05 +00:00
Igor Sysoev
753792e108
underscores_in_headers
2008-09-24 14:02:50 +00:00
Igor Sysoev
f8c4ae3151
allow underscores in client request header lines
2008-09-08 08:26:42 +00:00
Igor Sysoev
70d0961658
test the more likely case first
2008-03-16 16:47:16 +00:00
Igor Sysoev
8c8a6e5f2f
use the more correct mask
2008-03-16 13:29:49 +00:00
Igor Sysoev
b862cf4076
fix merge_slashes
2007-12-14 14:33:00 +00:00