Disabled control characters in URIs.
Control characters (0x00-0x1f, 0x7f) were never allowed in URIs, and must
be percent-encoded by clients. Further, these are not believed to appear
in practice. On the other hand, passing such characters might make various
attacks possible or easier, despite the fact that currently allowed control
characters are not significant for HTTP request parsing.
diff --git a/src/http/ngx_http_parse.c b/src/http/ngx_http_parse.c
index 8297a13..0d36a44 100644
--- a/src/http/ngx_http_parse.c
+++ b/src/http/ngx_http_parse.c
@@ -11,7 +11,7 @@
static uint32_t usual[] = {
- 0xffffdbfe, /* 1111 1111 1111 1111 1101 1011 1111 1110 */
+ 0x00000000, /* 0000 0000 0000 0000 0000 0000 0000 0000 */
/* ?>=< ;:98 7654 3210 /.-, +*)( '&%$ #"! */
0x7fff37d6, /* 0111 1111 1111 1111 0011 0111 1101 0110 */
@@ -24,7 +24,7 @@
#endif
/* ~}| {zyx wvut srqp onml kjih gfed cba` */
- 0xffffffff, /* 1111 1111 1111 1111 1111 1111 1111 1111 */
+ 0x7fffffff, /* 0111 1111 1111 1111 1111 1111 1111 1111 */
0xffffffff, /* 1111 1111 1111 1111 1111 1111 1111 1111 */
0xffffffff, /* 1111 1111 1111 1111 1111 1111 1111 1111 */
@@ -528,9 +528,10 @@
case '+':
r->plus_in_uri = 1;
break;
- case '\0':
- return NGX_HTTP_PARSE_INVALID_REQUEST;
default:
+ if (ch < 0x20 || ch == 0x7f) {
+ return NGX_HTTP_PARSE_INVALID_REQUEST;
+ }
state = sw_check_uri;
break;
}
@@ -592,8 +593,11 @@
case '+':
r->plus_in_uri = 1;
break;
- case '\0':
- return NGX_HTTP_PARSE_INVALID_REQUEST;
+ default:
+ if (ch < 0x20 || ch == 0x7f) {
+ return NGX_HTTP_PARSE_INVALID_REQUEST;
+ }
+ break;
}
break;
@@ -621,8 +625,11 @@
case '#':
r->complex_uri = 1;
break;
- case '\0':
- return NGX_HTTP_PARSE_INVALID_REQUEST;
+ default:
+ if (ch < 0x20 || ch == 0x7f) {
+ return NGX_HTTP_PARSE_INVALID_REQUEST;
+ }
+ break;
}
break;
@@ -1118,8 +1125,6 @@
}
switch (ch) {
- case ' ':
- return NGX_ERROR;
case '.':
r->complex_uri = 1;
state = sw_uri;
@@ -1150,6 +1155,9 @@
r->plus_in_uri = 1;
break;
default:
+ if (ch <= 0x20 || ch == 0x7f) {
+ return NGX_ERROR;
+ }
state = sw_check_uri;
break;
}
@@ -1177,8 +1185,6 @@
case '.':
r->uri_ext = p + 1;
break;
- case ' ':
- return NGX_ERROR;
#if (NGX_WIN32)
case '\\':
r->complex_uri = 1;
@@ -1200,6 +1206,11 @@
case '+':
r->plus_in_uri = 1;
break;
+ default:
+ if (ch <= 0x20 || ch == 0x7f) {
+ return NGX_ERROR;
+ }
+ break;
}
break;
@@ -1211,11 +1222,14 @@
}
switch (ch) {
- case ' ':
- return NGX_ERROR;
case '#':
r->complex_uri = 1;
break;
+ default:
+ if (ch <= 0x20 || ch == 0x7f) {
+ return NGX_ERROR;
+ }
+ break;
}
break;
}
