The "/." and "/.." at the end of URI should be normalized.
diff --git a/src/http/ngx_http_parse.c b/src/http/ngx_http_parse.c
index b8a27e0..ed5cf75 100644
--- a/src/http/ngx_http_parse.c
+++ b/src/http/ngx_http_parse.c
@@ -1437,9 +1437,11 @@
state = sw_quoted;
break;
case '?':
+ u--;
r->args_start = p;
goto args;
case '#':
+ u--;
goto done;
case '+':
r->plus_in_uri = 1;
@@ -1467,7 +1469,8 @@
case '\\':
#endif
case '/':
- state = sw_slash;
+ case '?':
+ case '#':
u -= 5;
for ( ;; ) {
if (u < r->uri.data) {
@@ -1479,16 +1482,19 @@
}
u--;
}
+ if (ch == '?') {
+ r->args_start = p;
+ goto args;
+ }
+ if (ch == '#') {
+ goto done;
+ }
+ state = sw_slash;
break;
case '%':
quoted_state = state;
state = sw_quoted;
break;
- case '?':
- r->args_start = p;
- goto args;
- case '#':
- goto done;
case '+':
r->plus_in_uri = 1;
/* fall through */
@@ -1565,6 +1571,26 @@
return NGX_HTTP_PARSE_INVALID_REQUEST;
}
+ if (state == sw_dot) {
+ u--;
+
+ } else if (state == sw_dot_dot) {
+ u -= 5;
+
+ for ( ;; ) {
+ if (u < r->uri.data) {
+ return NGX_HTTP_PARSE_INVALID_REQUEST;
+ }
+
+ if (*u == '/') {
+ u++;
+ break;
+ }
+
+ u--;
+ }
+ }
+
done:
r->uri.len = u - r->uri.data;