From 09c684b2d53b46b6ffb706c686ca4dbed62cf6da Mon Sep 17 00:00:00 2001
From: Igor Sysoev <igor@sysoev.ru>
Date: Wed, 9 Nov 2005 17:25:55 +0000
Subject: nginx-0.3.8-RELEASE import

    *) Security: nginx now checks URI got from a backend in
       "X-Accel-Redirect" header line or in SSI file for the "/../" paths
       and zeroes.

    *) Change: nginx now does not treat the empty user name in the
       "Authorization" header line as valid one.

    *) Feature: the "ssl_session_timeout" directives of the
       ngx_http_ssl_module and ngx_imap_ssl_module.

    *) Feature: the "auth_http_header" directive of the
       ngx_imap_auth_http_module.

    *) Feature: the "add_header" directive.

    *) Feature: the ngx_http_realip_module.

    *) Feature: the new variables to use in the "log_format" directive:
       $bytes_sent, $apache_bytes_sent, $status, $time_gmt, $uri,
       $request_time, $request_length, $upstream_status,
       $upstream_response_time, $gzip_ratio, $uid_got, $uid_set,
       $connection, $pipe, and $msec. The parameters in the "%name" form
       will be canceled soon.

    *) Change: now the false variable values in the "if" directive are the
       empty string "" and string starting with "0".

    *) Bugfix: while using proxied or FastCGI-server nginx may leave
       connections and temporary files with client requests in open state.

    *) Bugfix: the worker processes did not flush the buffered logs on
       graceful exit.

    *) Bugfix: if the request URI was changes by the "rewrite" directive
       and the request was proxied in location given by regular expression,
       then the incorrect request was transferred to backend; the bug had
       appeared in 0.2.6.

    *) Bugfix: the "expires" directive did not remove the previous
       "Expires" header.

    *) Bugfix: nginx may stop to accept requests if the "rtsig" method and
       several worker processes were used.

    *) Bugfix: the "\"" and "\'" escape symbols were incorrectly handled in
       SSI commands.

    *) Bugfix: if the response was ended just after the SSI command and
       gzipping was used, then the response did not transferred complete or
       did not transferred at all.
---
 src/http/ngx_http_parse.c | 94 +++++++++++++++++++++++++++++++++++++++++++++--
 1 file changed, 91 insertions(+), 3 deletions(-)

(limited to 'src/http/ngx_http_parse.c')

diff --git a/src/http/ngx_http_parse.c b/src/http/ngx_http_parse.c
index 302cd819a..0001286c6 100644
--- a/src/http/ngx_http_parse.c
+++ b/src/http/ngx_http_parse.c
@@ -763,6 +763,7 @@ ngx_http_parse_complex_uri(ngx_http_request_t *r)
                        "s:%d in:'%Xd:%c', out:'%c'", state, ch, ch, *u);
 
         switch (state) {
+
         case sw_usual:
             switch(ch) {
 #if (NGX_WIN32)
@@ -810,7 +811,6 @@ ngx_http_parse_complex_uri(ngx_http_request_t *r)
             switch(ch) {
 #if (NGX_WIN32)
             case '\\':
-                break;
 #endif
             case '/':
                 break;
@@ -837,7 +837,6 @@ ngx_http_parse_complex_uri(ngx_http_request_t *r)
             switch(ch) {
 #if (NGX_WIN32)
             case '\\':
-                /* fall through */
 #endif
             case '/':
                 state = sw_slash;
@@ -866,7 +865,6 @@ ngx_http_parse_complex_uri(ngx_http_request_t *r)
             switch(ch) {
 #if (NGX_WIN32)
             case '\\':
-                /* fall through */
 #endif
             case '/':
                 state = sw_slash;
@@ -923,6 +921,9 @@ ngx_http_parse_complex_uri(ngx_http_request_t *r)
                 quoted_state = state;
                 state = sw_quoted;
                 break;
+            case '?':
+                r->args_start = p;
+                goto done;
             default:
                 state = sw_usual;
                 *u++ = ch;
@@ -1002,6 +1003,92 @@ done:
 }
 
 
+ngx_int_t
+ngx_http_parse_unsafe_uri(ngx_http_request_t *r, ngx_str_t *uri,
+    ngx_str_t *args, ngx_uint_t *flags)
+{
+    u_char  ch, *p;
+    size_t  len;
+
+    len = uri->len;
+    p = uri->data;
+
+    if (len == 0 || p[0] == '?') {
+        goto unsafe;
+    }
+
+    if (p[0] == '.' && len == 3 && p[1] == '.' && (p[2] == '/'
+#if (NGX_WIN32)
+                                                   || p[2] == '\\'
+#endif
+        ))
+    {
+        goto unsafe;
+    }
+
+    for ( /* void */ ; len; len--) {
+
+        ch = *p++;
+
+        if (ch == '?') {
+            args->len = len - 1;
+            args->data = p;
+            uri->len -= len;
+
+            return NGX_OK;
+        }
+
+        if (ch == '\0') {
+            *flags |= NGX_HTTP_ZERO_IN_URI;
+            continue;
+        }
+
+        if (ch != '/'
+#if (NGX_WIN32)
+            && ch != '\\'
+#endif
+            )
+        {
+            continue;
+        }
+
+        if (len > 2) {
+
+            /* detect "/../" */
+
+            if (p[2] == '/') {
+                goto unsafe;
+            }
+
+#if (NGX_WIN32)
+
+            if (p[2] == '\\') {
+                goto unsafe;
+            }
+
+            if (len > 3) {
+
+                /* detect "/.../" */
+
+                if (p[3] == '/' || p[3] == '\\') {
+                    goto unsafe;
+                }
+            }
+#endif
+        }
+    }
+
+    return NGX_OK;
+
+unsafe:
+
+    ngx_log_error(NGX_LOG_ERR, r->connection->log, 0,
+                  "unsafe URI \"%V\" was detected", uri);
+
+    return NGX_ERROR;
+}
+
+
 ngx_int_t
 ngx_http_parse_multi_header_lines(ngx_array_t *headers, ngx_str_t *name,
     ngx_str_t *value)
@@ -1059,6 +1146,7 @@ ngx_http_parse_multi_header_lines(ngx_array_t *headers, ngx_str_t *name,
             return i;
 
         skip:
+
             while (start < end) {
                 ch = *start++;
                 if (ch == ';' || ch == ',') {
-- 
cgit