nginx-0.3.8-RELEASE import
*) Security: nginx now checks URI got from a backend in
"X-Accel-Redirect" header line or in SSI file for the "/../" paths
and zeroes.
*) Change: nginx now does not treat the empty user name in the
"Authorization" header line as valid one.
*) Feature: the "ssl_session_timeout" directives of the
ngx_http_ssl_module and ngx_imap_ssl_module.
*) Feature: the "auth_http_header" directive of the
ngx_imap_auth_http_module.
*) Feature: the "add_header" directive.
*) Feature: the ngx_http_realip_module.
*) Feature: the new variables to use in the "log_format" directive:
$bytes_sent, $apache_bytes_sent, $status, $time_gmt, $uri,
$request_time, $request_length, $upstream_status,
$upstream_response_time, $gzip_ratio, $uid_got, $uid_set,
$connection, $pipe, and $msec. The parameters in the "%name" form
will be canceled soon.
*) Change: now the false variable values in the "if" directive are the
empty string "" and string starting with "0".
*) Bugfix: while using proxied or FastCGI-server nginx may leave
connections and temporary files with client requests in open state.
*) Bugfix: the worker processes did not flush the buffered logs on
graceful exit.
*) Bugfix: if the request URI was changes by the "rewrite" directive
and the request was proxied in location given by regular expression,
then the incorrect request was transferred to backend; the bug had
appeared in 0.2.6.
*) Bugfix: the "expires" directive did not remove the previous
"Expires" header.
*) Bugfix: nginx may stop to accept requests if the "rtsig" method and
several worker processes were used.
*) Bugfix: the "\"" and "\'" escape symbols were incorrectly handled in
SSI commands.
*) Bugfix: if the response was ended just after the SSI command and
gzipping was used, then the response did not transferred complete or
did not transferred at all.
diff --git a/src/http/ngx_http_parse.c b/src/http/ngx_http_parse.c
index 302cd81..0001286 100644
--- a/src/http/ngx_http_parse.c
+++ b/src/http/ngx_http_parse.c
@@ -763,6 +763,7 @@
"s:%d in:'%Xd:%c', out:'%c'", state, ch, ch, *u);
switch (state) {
+
case sw_usual:
switch(ch) {
#if (NGX_WIN32)
@@ -810,7 +811,6 @@
switch(ch) {
#if (NGX_WIN32)
case '\\':
- break;
#endif
case '/':
break;
@@ -837,7 +837,6 @@
switch(ch) {
#if (NGX_WIN32)
case '\\':
- /* fall through */
#endif
case '/':
state = sw_slash;
@@ -866,7 +865,6 @@
switch(ch) {
#if (NGX_WIN32)
case '\\':
- /* fall through */
#endif
case '/':
state = sw_slash;
@@ -923,6 +921,9 @@
quoted_state = state;
state = sw_quoted;
break;
+ case '?':
+ r->args_start = p;
+ goto done;
default:
state = sw_usual;
*u++ = ch;
@@ -1003,6 +1004,92 @@
ngx_int_t
+ngx_http_parse_unsafe_uri(ngx_http_request_t *r, ngx_str_t *uri,
+ ngx_str_t *args, ngx_uint_t *flags)
+{
+ u_char ch, *p;
+ size_t len;
+
+ len = uri->len;
+ p = uri->data;
+
+ if (len == 0 || p[0] == '?') {
+ goto unsafe;
+ }
+
+ if (p[0] == '.' && len == 3 && p[1] == '.' && (p[2] == '/'
+#if (NGX_WIN32)
+ || p[2] == '\\'
+#endif
+ ))
+ {
+ goto unsafe;
+ }
+
+ for ( /* void */ ; len; len--) {
+
+ ch = *p++;
+
+ if (ch == '?') {
+ args->len = len - 1;
+ args->data = p;
+ uri->len -= len;
+
+ return NGX_OK;
+ }
+
+ if (ch == '\0') {
+ *flags |= NGX_HTTP_ZERO_IN_URI;
+ continue;
+ }
+
+ if (ch != '/'
+#if (NGX_WIN32)
+ && ch != '\\'
+#endif
+ )
+ {
+ continue;
+ }
+
+ if (len > 2) {
+
+ /* detect "/../" */
+
+ if (p[2] == '/') {
+ goto unsafe;
+ }
+
+#if (NGX_WIN32)
+
+ if (p[2] == '\\') {
+ goto unsafe;
+ }
+
+ if (len > 3) {
+
+ /* detect "/.../" */
+
+ if (p[3] == '/' || p[3] == '\\') {
+ goto unsafe;
+ }
+ }
+#endif
+ }
+ }
+
+ return NGX_OK;
+
+unsafe:
+
+ ngx_log_error(NGX_LOG_ERR, r->connection->log, 0,
+ "unsafe URI \"%V\" was detected", uri);
+
+ return NGX_ERROR;
+}
+
+
+ngx_int_t
ngx_http_parse_multi_header_lines(ngx_array_t *headers, ngx_str_t *name,
ngx_str_t *value)
{
@@ -1059,6 +1146,7 @@
return i;
skip:
+
while (start < end) {
ch = *start++;
if (ch == ';' || ch == ',') {
