IntenseWebs/nginx
3
0
Fork 0
mirror of https://github.com/nginx/nginx.git synced 2025-02-25 18:55:26 -06:00
Code Issues Packages Projects Releases Wiki Activity

Disabled control characters in URIs.

Browse Source 
Control characters (0x00-0x1f, 0x7f) were never allowed in URIs, and must
be percent-encoded by clients.  Further, these are not believed to appear
in practice.  On the other hand, passing such characters might make various
attacks possible or easier, despite the fact that currently allowed control
characters are not significant for HTTP request parsing.
This commit is contained in:
Maxim Dounin
2021-06-28 18:01:15 +03:00
parent 05395f4889
commit 0b66bd4be7
1 changed files with 28 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

42
src/http/ngx_http_parse.c
View File

@@ -11,7 +11,7 @@
static uint32_t usual[] = { static uint32_t usual[] = {
0xffffdbfe, /* 1111 1111 1111 1111 1101 1011 1111 1110 */ 0x00000000, /* 0000 0000 0000 0000 0000 0000 0000 0000 */
/* ?>=< ;:98 7654 3210 /.-, +*)( '&%$ #"! */ /* ?>=< ;:98 7654 3210 /.-, +*)( '&%$ #"! */
0x7fff37d6, /* 0111 1111 1111 1111 0011 0111 1101 0110 */ 0x7fff37d6, /* 0111 1111 1111 1111 0011 0111 1101 0110 */
@@ -24,7 +24,7 @@ static uint32_t usual[] = {
#endif #endif
/* ~}| {zyx wvut srqp onml kjih gfed cba` */ /* ~}| {zyx wvut srqp onml kjih gfed cba` */
0xffffffff, /* 1111 1111 1111 1111 1111 1111 1111 1111 */ 0x7fffffff, /* 0111 1111 1111 1111 1111 1111 1111 1111 */
0xffffffff, /* 1111 1111 1111 1111 1111 1111 1111 1111 */ 0xffffffff, /* 1111 1111 1111 1111 1111 1111 1111 1111 */
0xffffffff, /* 1111 1111 1111 1111 1111 1111 1111 1111 */ 0xffffffff, /* 1111 1111 1111 1111 1111 1111 1111 1111 */
@@ -528,9 +528,10 @@ ngx_http_parse_request_line(ngx_http_request_t *r, ngx_buf_t *b)
case '+': case '+':
r->plus_in_uri = 1; r->plus_in_uri = 1;
break; break;
case '\0':
return NGX_HTTP_PARSE_INVALID_REQUEST;
default: default:
if (ch < 0x20 || ch == 0x7f) {
return NGX_HTTP_PARSE_INVALID_REQUEST;
}
state = sw_check_uri; state = sw_check_uri;
break; break;
} }
@@ -592,8 +593,11 @@ ngx_http_parse_request_line(ngx_http_request_t *r, ngx_buf_t *b)
case '+': case '+':
r->plus_in_uri = 1; r->plus_in_uri = 1;
break; break;
case '\0': default:
return NGX_HTTP_PARSE_INVALID_REQUEST; if (ch < 0x20 || ch == 0x7f) {
return NGX_HTTP_PARSE_INVALID_REQUEST;
}
break;
} }
break; break;
@@ -621,8 +625,11 @@ ngx_http_parse_request_line(ngx_http_request_t *r, ngx_buf_t *b)
case '#': case '#':
r->complex_uri = 1; r->complex_uri = 1;
break; break;
case '\0': default:
return NGX_HTTP_PARSE_INVALID_REQUEST; if (ch < 0x20 || ch == 0x7f) {
return NGX_HTTP_PARSE_INVALID_REQUEST;
}
break;
} }
break; break;
@@ -1118,8 +1125,6 @@ ngx_http_parse_uri(ngx_http_request_t *r)
} }
switch (ch) { switch (ch) {
case ' ':
return NGX_ERROR;
case '.': case '.':
r->complex_uri = 1; r->complex_uri = 1;
state = sw_uri; state = sw_uri;
@@ -1150,6 +1155,9 @@ ngx_http_parse_uri(ngx_http_request_t *r)
r->plus_in_uri = 1; r->plus_in_uri = 1;
break; break;
default: default:
if (ch <= 0x20 || ch == 0x7f) {
return NGX_ERROR;
}
state = sw_check_uri; state = sw_check_uri;
break; break;
} }
@@ -1177,8 +1185,6 @@ ngx_http_parse_uri(ngx_http_request_t *r)
case '.': case '.':
r->uri_ext = p + 1; r->uri_ext = p + 1;
break; break;
case ' ':
return NGX_ERROR;
#if (NGX_WIN32) #if (NGX_WIN32)
case '\\': case '\\':
r->complex_uri = 1; r->complex_uri = 1;
@@ -1200,6 +1206,11 @@ ngx_http_parse_uri(ngx_http_request_t *r)
case '+': case '+':
r->plus_in_uri = 1; r->plus_in_uri = 1;
break; break;
default:
if (ch <= 0x20 || ch == 0x7f) {
return NGX_ERROR;
}
break;
} }
break; break;
@@ -1211,11 +1222,14 @@ ngx_http_parse_uri(ngx_http_request_t *r)
} }
switch (ch) { switch (ch) {
case ' ':
return NGX_ERROR;
case '#': case '#':
r->complex_uri = 1; r->complex_uri = 1;
break; break;
default:
if (ch <= 0x20 || ch == 0x7f) {
return NGX_ERROR;
}
break;
} }
break; break;
} }