summaryrefslogtreecommitdiffhomepage
path: root/src/http/ngx_http_parse.c (unfollow)
AgeCommit message (Collapse)AuthorFilesLines
2020-12-10Fixed parsing of absolute URIs with empty path (ticket #2079).Maxim Dounin1-0/+17
When the request line contains request-target in the absolute-URI form, it can contain path-empty instead of a single slash (see RFC 7230, RFC 3986). Previously, the ngx_http_parse_request_line() function only accepted empty path when there was no query string. With this change, non-empty query is also correctly handled. That is, request line "GET http://example.com?foo HTTP/1.1" is accepted and results in $uri "/" and $args "foo". Note that $request_uri remains "?foo", similarly to how spaces in URIs are handled. Providing "/?foo", similarly to how "/" is provided for "GET http://example.com HTTP/1.1", requires allocation.
2019-10-15Fixed header parsing with ignore_invalid_headers switched off.Ruslan Ermilov1-0/+4
The parsing was broken when the first character of the header name was invalid. Based on a patch by Alan Kemp.
2019-10-08Fixed URI normalization with merge_slashes switched off.Maxim Dounin1-2/+2
Previously, "/foo///../bar" was normalized into "/foo/bar" instead of "/foo//bar".
2019-10-08The "/." and "/.." at the end of URI should be normalized.Ruslan Ermilov1-6/+32
2019-10-08Improved detection of broken percent encoding in URI.Ruslan Ermilov1-0/+4
2019-09-03Detect runaway chunks in ngx_http_parse_chunked().Sergey Kandaurov1-0/+3
As defined in HTTP/1.1, body chunks have the following ABNF: chunk = chunk-size [ chunk-ext ] CRLF chunk-data CRLF where chunk-data is a sequence of chunk-size octets. With this change, chunk-data that doesn't end up with CRLF at chunk-size offset will be treated as invalid, such as in the example provided below: 4 SEE-THIS-AND- 4 THAT 0
2018-05-24Allowed digits, '+', '-', and '.' in scheme names as per RFC 3986.Ruslan Ermilov1-0/+5
2017-07-17Parenthesized ASCII-related calculations.Valentin Bartenev1-7/+7
This also fixes potential undefined behaviour in the range and slice filter modules, caused by local overflows of signed integers in expressions.
2017-04-27Added missing "fall through" comments (ticket #1259).Maxim Dounin1-0/+3
Found by gcc7 (-Wimplicit-fallthrough).
2017-04-25Don't pretend we support HTTP major versions >1 as HTTP/1.1.Ruslan Ermilov1-3/+9
2016-10-10Allowed '-' in method names.Maxim Dounin1-2/+2
It is used at least by SOAP (M-POST method, defined by RFC 2774) and by WebDAV versioning (VERSION-CONTROL and BASELINE-CONTROL methods, defined by RFC 3253).
2016-07-07Avoid left-shifting integers into the sign bit, which is undefined.Sergey Kandaurov1-11/+11
Found with UndefinedBehaviorSanitizer.
2016-05-18Added overflow checks for version numbers (ticket #762).Maxim Dounin1-0/+16
Both minor and major versions are now limited to 999 maximum. In case of r->http_minor, this limit is already implied by the code. Major version, r->http_major, in theory can be up to 65535 with current code, but such values are very unlikely to become real (and, additionally, such values are not allowed by RFC 7230), so the same test was used for r->http_major.
2015-03-17Overflow detection in ngx_http_parse_chunked().Ruslan Ermilov1-4/+8
2014-07-08Style: add whitespace between control statement and parentheses.Piotr Sikora1-4/+4
Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2014-04-29Upstream: added the "$upstream_cookie_<name>" variables.Vladimir Homutov1-0/+51
2014-03-24Apply underscores_in_headers also to the first character.Piotr Sikora1-0/+13
Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2013-12-23Teach ngx_http_parse_unsafe_uri() how to unescape URIs.Ruslan Ermilov1-3/+60
This fixes handling of escaped URIs in X-Accel-Redirect (ticket #316), SSI (ticket #240), and DAV.
2013-12-23Detect more unsafe URIs in ngx_http_parse_unsafe_uri().Ruslan Ermilov1-3/+7
The following URIs were considered safe: "..", "../foo", and "/foo/..".
2013-11-19Proper backtracking after space in a request line.Ruslan Ermilov1-0/+2
2013-08-21Minor ngx_http_parse_request_line() optimization.Maxim Dounin1-0/+3
Noted by Nils Kuhnhenn.
2013-06-28Fixed ngx_http_parse_chunked() minimal length calculation.Maxim Dounin1-2/+3
Minimal data length we expect for further calls was calculated incorrectly if parsing stopped right after parsing chunk size. This might in theory affect clients and/or backends using LF instead of CRLF. Patch by Dmitry Popov.
2013-06-05Fixed debug logging in ngx_http_parse_complex_uri().Maxim Dounin1-2/+2
The *u previously logged isn't yet initialized at this point, and Valgrind complains.
2013-05-06Fixed chunk size parsing.Maxim Dounin1-0/+4
2013-03-20Preliminary experimental support for SPDY draft 2.Valentin Bartenev1-0/+148
2012-11-21Request body: adjust b->pos when chunked parsing done.Maxim Dounin1-0/+3
This is a nop for the current code, though will allow to correctly parse pipelined requests.
2012-11-21Request body: chunked parsing moved to ngx_http_parse.c from proxy.Maxim Dounin1-0/+253
No functional changes.
2012-06-05Win32: normalization of trailing dot inside uri.Maxim Dounin1-0/+20
Windows treats "/directory./" identical to "/directory/". Do the same when working on Windows. Note that the behaviour is different from one with last path component (where multiple spaces and dots are ignored by Windows).
2012-04-03Fixed spelling in multiline C comments.Ruslan Ermilov1-1/+1
2012-03-19For the sake of case/switch code readability, 'fall through'Maxim Konovalov1-0/+1
comments added.
2012-03-15Headers with null character are now rejected.Maxim Dounin1-0/+14
Headers with NUL character aren't allowed by HTTP standard and may cause various security problems. They are now unconditionally rejected.
2012-01-18Copyright updated.Maxim Konovalov1-0/+1
2011-11-28Added support for IP-literal in the Host header and request line (ticket #1).Valentin Bartenev1-2/+62
Additional parsing logic added to correctly handle RFC 3986 compliant IPv6 and IPvFuture characters enclosed in square brackets. The host validation was completely rewritten. The behavior for non IP literals was changed in a more proper and safer way: - Host part is now delimited either by the first colon or by the end of string if there's no colon. Previously the last colon was used as delimiter which allowed substitution of a port number in the $host variable. (e.g. Host: 127.0.0.1:9000:80) - Fixed stripping of the ending dot in the Host header when the host was also followed by a port number. (e.g. Host: nginx.com.:80) - Fixed upper case characters detection. Previously it was broken which led to wasting memory and CPU.
2011-09-15Protocol version parsing in ngx_http_parse_status_line().Maxim Dounin1-0/+5
Once we know protocol version, set u->headers_in.connection_close to indicate implicitly assumed connection close with HTTP before 1.1.
2010-06-23style fixIgor Sysoev1-1/+1
2010-06-15ngx_http_parse_status_line()Igor Sysoev1-0/+205
2010-06-15allow spaces in URIIgor Sysoev1-5/+55
2010-06-10PATCH methodIgor Sysoev1-0/+4
2010-06-04fix "/dir/%3F../" and "/dir/%23../" casesIgor Sysoev1-6/+3
2010-05-24remove r->zero_in_uriIgor Sysoev1-34/+15
2009-09-25check unsafe DestinationIgor Sysoev1-2/+4
2009-09-14handle "/../" case more reliablyIgor Sysoev1-5/+9
2009-09-02discrease slightly ngx_http_parse_header_line() size:Igor Sysoev1-2/+1
this line is not required for LF, however, this case is very seldom
2009-09-01fix segfault when a header starts with "\rX"Igor Sysoev1-0/+1
and logging is set to info or debug level
2009-07-20do not test "..." case since it's Win9x family feature onlyIgor Sysoev1-72/+0
2009-07-13allow underscore in request methodIgor Sysoev1-2/+2
2009-04-23ngx_path_separator()Igor Sysoev1-18/+5
2009-04-04refactor ngx_http_arg() using ngx_strcasestrn(),Igor Sysoev1-8/+8
back out zero termination introduced in r2138
2009-03-30fix r2579Igor Sysoev1-0/+2
2009-03-22style fix: remove tabsIgor Sysoev1-14/+14
generated by cgit (git 2.34.1) at 2025-12-07 05:10:40 +0000