Win32: uris with ":$" are now rejected.

There are too many problems with special NTFS streams, notably "::$data",
"::$index_allocation" and ":$i30:$index_allocation".

For now we don't reject all URIs with ":" like Apache does as there are no
good reasons seen yet, and there are multiple programs using it in URLs
(e.g. MediaWiki).

1 files changed, 22 insertions, 6 deletions

diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c
index 06f89d648..b1877131c 100644
--- a/src/http/ngx_http_request.c
+++ b/src/http/ngx_http_request.c
@@ -812,7 +812,28 @@ ngx_http_process_request_line(ngx_event_t *rev)
 
 #if (NGX_WIN32)
             {
-            u_char  *p;
+            u_char  *p, *last;
+
+            p = r->uri.data;
+            last = r->uri.data + r->uri.len;
+
+            while (p < last) {
+
+                if (*p++ == ':') {
+
+                    /*
+                     * this check covers "::$data", "::$index_allocation" and
+                     * ":$i30:$index_allocation"
+                     */
+
+                    if (p < last && *p == '$') {
+                        ngx_log_error(NGX_LOG_INFO, c->log, 0,
+                                      "client sent unsafe win32 URI");
+                        ngx_http_finalize_request(r, NGX_HTTP_BAD_REQUEST);
+                        return;
+                    }
+                }
+            }
 
             p = r->uri.data + r->uri.len - 1;
 
@@ -828,11 +849,6 @@ ngx_http_process_request_line(ngx_event_t *rev)
                     continue;
                 }
 
-                if (ngx_strncasecmp(p - 6, (u_char *) "::$data", 7) == 0) {
-                    p -= 7;
-                    continue;
-                }
-
                 break;
             }