Detect more unsafe URIs in ngx_http_parse_unsafe_uri().

The following URIs were considered safe: "..", "../foo", and "/foo/..".
author: Ruslan Ermilov <ru@nginx.com> 2013-12-23 18:11:56 +0400
committer: Ruslan Ermilov <ru@nginx.com> 2013-12-23 18:11:56 +0400
commit: 336bcb22d19ff67a696a2a8a3aaa1210169ecdc7 (patch)
tree: 5b6ee19fdc425270fd1e336d0f4e961ade4f6015 /src/http/ngx_http_parse.c
parent: 3f36c684a1b32e047ae8209c338e7a5f072435ed (diff)
download: nginx-336bcb22d19ff67a696a2a8a3aaa1210169ecdc7.tar.gz
nginx-336bcb22d19ff67a696a2a8a3aaa1210169ecdc7.zip
1 files changed, 7 insertions, 3 deletions
diff --git a/src/http/ngx_http_parse.c b/src/http/ngx_http_parse.c
index cf89b8cfe..a895a8958 100644
--- a/src/http/ngx_http_parse.c
+++ b/src/http/ngx_http_parse.c
@@ -1790,7 +1790,9 @@ ngx_http_parse_unsafe_uri(ngx_http_request_t *r, ngx_str_t *uri,
         goto unsafe;
     }
 
-    if (p[0] == '.' && len == 3 && p[1] == '.' && (ngx_path_separator(p[2]))) {
+    if (p[0] == '.' && len > 1 && p[1] == '.'
+        && (len == 2 || ngx_path_separator(p[2])))
+    {
         goto unsafe;
     }
 
@@ -1816,9 +1818,11 @@ ngx_http_parse_unsafe_uri(ngx_http_request_t *r, ngx_str_t *uri,
 
         if (ngx_path_separator(ch) && len > 2) {
 
-            /* detect "/../" */
+            /* detect "/../" and "/.." */
 
-            if (p[0] == '.' && p[1] == '.' && ngx_path_separator(p[2])) {
+            if (p[0] == '.' && p[1] == '.'
+                && (len == 3 || ngx_path_separator(p[2])))
+            {
                 goto unsafe;
             }
         }
author	Ruslan Ermilov <ru@nginx.com>	2013-12-23 18:11:56 +0400
committer	Ruslan Ermilov <ru@nginx.com>	2013-12-23 18:11:56 +0400
commit	336bcb22d19ff67a696a2a8a3aaa1210169ecdc7 (patch)
tree	5b6ee19fdc425270fd1e336d0f4e961ade4f6015 /src/http/ngx_http_parse.c
parent	3f36c684a1b32e047ae8209c338e7a5f072435ed (diff)
download	nginx-336bcb22d19ff67a696a2a8a3aaa1210169ecdc7.tar.gz nginx-336bcb22d19ff67a696a2a8a3aaa1210169ecdc7.zip