Detect more unsafe URIs in ngx_http_parse_unsafe_uri().

author Ruslan Ermilov <ru@nginx.com>

Mon, 23 Dec 2013 14:11:56 +0000 (18:11 +0400)

committer Ruslan Ermilov <ru@nginx.com>

Mon, 23 Dec 2013 14:11:56 +0000 (18:11 +0400)
author Ruslan Ermilov <ru@nginx.com>
Mon, 23 Dec 2013 14:11:56 +0000 (18:11 +0400)
committer Ruslan Ermilov <ru@nginx.com>
Mon, 23 Dec 2013 14:11:56 +0000 (18:11 +0400)
diff --git a/src/http/ngx_http_parse.c b/src/http/ngx_http_parse.c

index cf89b8cfe354fc3ec81e5579aa6db07a2b76c0d4..a895a8958e16c5444dfb01d8f5c933a60093fd14 100644 (file)
--- a/src/http/ngx_http_parse.c
+++ b/src/http/ngx_http_parse.c
@@ -1790,7 +1790,9 @@ ngx_http_parse_unsafe_uri(ngx_http_request_t *r, ngx_str_t *uri,
          goto unsafe;
      }
  
-    if (p[0] == '.' && len == 3 && p[1] == '.' && (ngx_path_separator(p[2]))) {
+    if (p[0] == '.' && len > 1 && p[1] == '.'
+        && (len == 2 || ngx_path_separator(p[2])))
+    {
          goto unsafe;
      }
  
@@ -1816,9 +1818,11 @@ ngx_http_parse_unsafe_uri(ngx_http_request_t *r, ngx_str_t *uri,
  
          if (ngx_path_separator(ch) && len > 2) {
  
-            /* detect "/../" */
+            /* detect "/../" and "/.." */
  
-            if (p[0] == '.' && p[1] == '.' && ngx_path_separator(p[2])) {
+            if (p[0] == '.' && p[1] == '.'
+                && (len == 3 || ngx_path_separator(p[2])))
+            {
                  goto unsafe;
              }
          }
author	Ruslan Ermilov <ru@nginx.com>
	Mon, 23 Dec 2013 14:11:56 +0000 (18:11 +0400)
committer	Ruslan Ermilov <ru@nginx.com>
	Mon, 23 Dec 2013 14:11:56 +0000 (18:11 +0400)