Google Git
Sign in
nginx / nginx / 8662b6bec54b138572c50d3e1fb738790ef3eb5c^! / . / src / core / ngx_string.c
commit8662b6bec54b138572c50d3e1fb738790ef3eb5c[log] [tgz]
authorIgor Sysoev <igor@sysoev.ru>Fri Jul 13 09:37:01 2007 +0000
committerIgor Sysoev <igor@sysoev.ru>Fri Jul 13 09:37:01 2007 +0000
tree0be163a1e256635ddf278e75b79787e5faf84357
parent049ae00031cecba74e8b5d2218eb28c125e99881 [diff] [blame]
msie_refresh should escape at least '"' to prevent XSS

diff --git a/src/core/ngx_string.c b/src/core/ngx_string.c
index 032ae4d..29dc39f 100644
--- a/src/core/ngx_string.c
+++ b/src/core/ngx_string.c

@@ -1039,18 +1039,30 @@
         0xffffffff  /* 1111 1111 1111 1111  1111 1111 1111 1111 */
     };
 
+                    /* " ", """, "'", %00-%1F, %7F-%FF */
 
-    switch (type) {
-    case NGX_ESCAPE_HTML:
-        escape = html;
-        break;
-    case NGX_ESCAPE_ARGS:
-        escape = args;
-        break;
-    default:
-        escape = uri;
-        break;
-    }
+    static uint32_t   refresh[] = {
+        0xffffffff, /* 1111 1111 1111 1111  1111 1111 1111 1111 */
+
+                    /* ?>=< ;:98 7654 3210  /.-, +*)( '&%$ #"!  */
+        0x00000085, /* 0000 0000 0000 0000  0000 0000 1000 0101 */
+
+                    /* _^]\ [ZYX WVUT SRQP  ONML KJIH GFED CBA@ */
+        0x00000000, /* 0000 0000 0000 0000  0000 0000 0000 0000 */
+
+                    /*  ~}| {zyx wvut srqp  onml kjih gfed cba` */
+        0x80000000, /* 1000 0000 0000 0000  0000 0000 0000 0000 */
+
+        0xffffffff, /* 1111 1111 1111 1111  1111 1111 1111 1111 */
+        0xffffffff, /* 1111 1111 1111 1111  1111 1111 1111 1111 */
+        0xffffffff, /* 1111 1111 1111 1111  1111 1111 1111 1111 */
+        0xffffffff  /* 1111 1111 1111 1111  1111 1111 1111 1111 */
+    };
+
+    static uint32_t  *map[] = { uri, args, html, refresh };
+
+
+    escape = map[type];
 
     if (dst == NULL) {