diff options
| author | Maxim Dounin <mdounin@mdounin.ru> | 2012-06-05 13:52:37 +0000 |
|---|---|---|
| committer | Maxim Dounin <mdounin@mdounin.ru> | 2012-06-05 13:52:37 +0000 |
| commit | b683a855ae3129c4374a13f4f0d3570e5d6a0ddb (patch) | |
| tree | e65edfc703855ca82cd347e383fb6c9cf30b8d9d /src/http/ngx_http_request.c | |
| parent | 4624fd5d195753c21a4859925925c9523e8b981c (diff) | |
| download | nginx-b683a855ae3129c4374a13f4f0d3570e5d6a0ddb.tar.gz nginx-b683a855ae3129c4374a13f4f0d3570e5d6a0ddb.zip | |
Merge of r4674, r4675, r4676: win32 fixes.
*) Win32: disallowed access to various non-canonical name variants.
This includes trailings dots and spaces, NTFS streams (and short names, as
previously checked). The checks are now also done in ngx_file_info(), thus
allowing to use the "try_files" directive to protect external scripts.
*) Win32: normalization of trailing dot inside uri.
Windows treats "/directory./" identical to "/directory/". Do the same
when working on Windows. Note that the behaviour is different from one
with last path component (where multiple spaces and dots are ignored by
Windows).
*) Win32: uris with ":$" are now rejected.
There are too many problems with special NTFS streams, notably "::$data",
"::$index_allocation" and ":$i30:$index_allocation".
For now we don't reject all URIs with ":" like Apache does as there are no
good reasons seen yet, and there are multiple programs using it in URLs
(e.g. MediaWiki).
Diffstat (limited to 'src/http/ngx_http_request.c')
| -rw-r--r-- | src/http/ngx_http_request.c | 28 |
1 files changed, 22 insertions, 6 deletions
diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c index 06f89d648..b1877131c 100644 --- a/src/http/ngx_http_request.c +++ b/src/http/ngx_http_request.c @@ -812,7 +812,28 @@ ngx_http_process_request_line(ngx_event_t *rev) #if (NGX_WIN32) { - u_char *p; + u_char *p, *last; + + p = r->uri.data; + last = r->uri.data + r->uri.len; + + while (p < last) { + + if (*p++ == ':') { + + /* + * this check covers "::$data", "::$index_allocation" and + * ":$i30:$index_allocation" + */ + + if (p < last && *p == '$') { + ngx_log_error(NGX_LOG_INFO, c->log, 0, + "client sent unsafe win32 URI"); + ngx_http_finalize_request(r, NGX_HTTP_BAD_REQUEST); + return; + } + } + } p = r->uri.data + r->uri.len - 1; @@ -828,11 +849,6 @@ ngx_http_process_request_line(ngx_event_t *rev) continue; } - if (ngx_strncasecmp(p - 6, (u_char *) "::$data", 7) == 0) { - p -= 7; - continue; - } - break; } |