diff options
| author | Igor Sysoev <igor@sysoev.ru> | 2007-07-17 09:34:23 +0000 |
|---|---|---|
| committer | Igor Sysoev <igor@sysoev.ru> | 2007-07-17 09:34:23 +0000 |
| commit | 872949f2b19ca26ad5fd0e341b45562b4278f6a0 (patch) | |
| tree | 38cd04f9f8c2ddf7c288f805b3c1ff57048d3552 /src/http | |
| parent | 6addbaeb16e6fd1a5e9348871603e750daddf81d (diff) | |
| download | nginx-872949f2b19ca26ad5fd0e341b45562b4278f6a0.tar.gz nginx-872949f2b19ca26ad5fd0e341b45562b4278f6a0.tar.bz2 | |
r1299 merge:
msie_refresh should escape at least '"' to prevent XSS
Diffstat (limited to 'src/http')
| -rw-r--r-- | src/http/ngx_http_special_response.c | 24 |
1 files changed, 19 insertions, 5 deletions
diff --git a/src/http/ngx_http_special_response.c b/src/http/ngx_http_special_response.c index bb72079a9..2598116f7 100644 --- a/src/http/ngx_http_special_response.c +++ b/src/http/ngx_http_special_response.c @@ -315,6 +315,7 @@ ngx_http_special_response_handler(ngx_http_request_t *r, ngx_int_t error) { u_char *p; size_t msie_refresh; + uintptr_t escape; ngx_int_t rc; ngx_buf_t *b; ngx_str_t *uri, *location; @@ -496,17 +497,19 @@ ngx_http_special_response_handler(ngx_http_request_t *r, ngx_int_t error) r->headers_out.content_length = NULL; } - msie_refresh = 0; - location = NULL; - if (clcf->msie_refresh && r->headers_in.msie && (error == NGX_HTTP_MOVED_PERMANENTLY || error == NGX_HTTP_MOVED_TEMPORARILY)) { + location = &r->headers_out.location->value; + + escape = 2 * ngx_escape_uri(NULL, location->data, location->len, + NGX_ESCAPE_REFRESH); + msie_refresh = sizeof(ngx_http_msie_refresh_head) - 1 - + location->len + + escape + location->len + sizeof(ngx_http_msie_refresh_tail) - 1; r->err_status = NGX_HTTP_OK; @@ -514,6 +517,11 @@ ngx_http_special_response_handler(ngx_http_request_t *r, ngx_int_t error) r->headers_out.content_length_n = msie_refresh; r->headers_out.location->hash = 0; r->headers_out.location = NULL; + + } else { + location = NULL; + escape = 0; + msie_refresh = 0; } ngx_http_clear_accept_ranges(r); @@ -595,7 +603,13 @@ ngx_http_special_response_handler(ngx_http_request_t *r, ngx_int_t error) p = ngx_cpymem(b->pos, ngx_http_msie_refresh_head, sizeof(ngx_http_msie_refresh_head) - 1); - p = ngx_cpymem(p, location->data, location->len); + if (escape == 0) { + p = ngx_cpymem(p, location->data, location->len); + + } else { + p = (u_char *) ngx_escape_uri(p, location->data, location->len, + NGX_ESCAPE_REFRESH); + } b->last = ngx_cpymem(p, ngx_http_msie_refresh_tail, sizeof(ngx_http_msie_refresh_tail) - 1); |