Teach ngx_http_parse_unsafe_uri() how to unescape URIs.

This fixes handling of escaped URIs in X-Accel-Redirect (ticket #316), SSI (ticket #240), and DAV.
author: Ruslan Ermilov <ru@nginx.com> 2013-12-23 18:12:00 +0400
committer: Ruslan Ermilov <ru@nginx.com> 2013-12-23 18:12:00 +0400
commit: f7ff5e65d0d20ba0425be7e3d8de4d04ceec9206 (patch)
tree: dd55a2892d27b25983e8a954319f499678f77eaf /src/http/ngx_http_parse.c
parent: 336bcb22d19ff67a696a2a8a3aaa1210169ecdc7 (diff)
download: nginx-f7ff5e65d0d20ba0425be7e3d8de4d04ceec9206.tar.gz
nginx-f7ff5e65d0d20ba0425be7e3d8de4d04ceec9206.zip
1 files changed, 60 insertions, 3 deletions
diff --git a/src/http/ngx_http_parse.c b/src/http/ngx_http_parse.c
index a895a8958..8c1a62a7b 100644
--- a/src/http/ngx_http_parse.c
+++ b/src/http/ngx_http_parse.c
@@ -1780,11 +1780,13 @@ ngx_int_t
 ngx_http_parse_unsafe_uri(ngx_http_request_t *r, ngx_str_t *uri,
     ngx_str_t *args, ngx_uint_t *flags)
 {
-    u_char  ch, *p;
-    size_t  len;
+    u_char      ch, *p, *src, *dst;
+    size_t      len;
+    ngx_uint_t  quoted;
 
     len = uri->len;
     p = uri->data;
+    quoted = 0;
 
     if (len == 0 || p[0] == '?') {
         goto unsafe;
@@ -1800,6 +1802,11 @@ ngx_http_parse_unsafe_uri(ngx_http_request_t *r, ngx_str_t *uri,
 
         ch = *p++;
 
+        if (ch == '%') {
+            quoted = 1;
+            continue;
+        }
+
         if (usual[ch >> 5] & (1 << (ch & 0x1f))) {
             continue;
         }
@@ -1809,7 +1816,7 @@ ngx_http_parse_unsafe_uri(ngx_http_request_t *r, ngx_str_t *uri,
             args->data = p;
             uri->len -= len;
 
-            return NGX_OK;
+            break;
         }
 
         if (ch == '\0') {
@@ -1828,6 +1835,56 @@ ngx_http_parse_unsafe_uri(ngx_http_request_t *r, ngx_str_t *uri,
         }
     }
 
+    if (quoted) {
+        ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
+                       "escaped URI: \"%V\"", uri);
+
+        src = uri->data;
+
+        dst = ngx_pnalloc(r->pool, uri->len);
+        if (dst == NULL) {
+            return NGX_ERROR;
+        }
+
+        uri->data = dst;
+
+        ngx_unescape_uri(&dst, &src, uri->len, 0);
+
+        uri->len = dst - uri->data;
+
+        ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
+                       "unescaped URI: \"%V\"", uri);
+
+        len = uri->len;
+        p = uri->data;
+
+        if (p[0] == '.' && len > 1 && p[1] == '.'
+            && (len == 2 || ngx_path_separator(p[2])))
+        {
+            goto unsafe;
+        }
+
+        for ( /* void */ ; len; len--) {
+
+            ch = *p++;
+
+            if (ch == '\0') {
+                goto unsafe;
+            }
+
+            if (ngx_path_separator(ch) && len > 2) {
+
+                /* detect "/../" and "/.." */
+
+                if (p[0] == '.' && p[1] == '.'
+                    && (len == 3 || ngx_path_separator(p[2])))
+                {
+                    goto unsafe;
+                }
+            }
+        }
+    }
+
     return NGX_OK;
 
 unsafe:
author	Ruslan Ermilov <ru@nginx.com>	2013-12-23 18:12:00 +0400
committer	Ruslan Ermilov <ru@nginx.com>	2013-12-23 18:12:00 +0400
commit	f7ff5e65d0d20ba0425be7e3d8de4d04ceec9206 (patch)
tree	dd55a2892d27b25983e8a954319f499678f77eaf /src/http/ngx_http_parse.c
parent	336bcb22d19ff67a696a2a8a3aaa1210169ecdc7 (diff)
download	nginx-f7ff5e65d0d20ba0425be7e3d8de4d04ceec9206.tar.gz nginx-f7ff5e65d0d20ba0425be7e3d8de4d04ceec9206.zip