commit 336bcb22d19ff67a696a2a8a3aaa1210169ecdc7
author Ruslan Ermilov <ru@nginx.com> Mon Dec 23 18:11:56 2013 +0400
committer Ruslan Ermilov <ru@nginx.com> Mon Dec 23 18:11:56 2013 +0400
tree 5b6ee19fdc425270fd1e336d0f4e961ade4f6015
parent 3f36c684a1b32e047ae8209c338e7a5f072435ed

Detect more unsafe URIs in ngx_http_parse_unsafe_uri().

The following URIs were considered safe: "..", "../foo", and "/foo/..".

src/http/ngx_http_parse.c

diff --git a/src/http/ngx_http_parse.c b/src/http/ngx_http_parse.c
index cf89b8c..a895a89 100644
--- a/src/http/ngx_http_parse.c
+++ b/src/http/ngx_http_parse.c
@@ -1790,7 +1790,9 @@
         goto unsafe;
     }
 
-    if (p[0] == '.' && len == 3 && p[1] == '.' && (ngx_path_separator(p[2]))) {
+    if (p[0] == '.' && len > 1 && p[1] == '.'
+        && (len == 2 || ngx_path_separator(p[2])))
+    {
         goto unsafe;
     }
 
@@ -1816,9 +1818,11 @@
 
         if (ngx_path_separator(ch) && len > 2) {
 
-            /* detect "/../" */
+            /* detect "/../" and "/.." */
 
-            if (p[0] == '.' && p[1] == '.' && ngx_path_separator(p[2])) {
+            if (p[0] == '.' && p[1] == '.'
+                && (len == 3 || ngx_path_separator(p[2])))
+            {
                 goto unsafe;
             }
         }