From 4cf7f2727dd6cafbe8064a79701167e4da70ad4d Mon Sep 17 00:00:00 2001
From: Igor Sysoev <igor@sysoev.ru>
Date: Fri, 4 Jun 2010 16:05:55 +0000
Subject: [PATCH] fix "/dir/%3F../" and "/dir/%23../" cases

---
 src/http/ngx_http_parse.c | 9 +++------
 1 file changed, 3 insertions(+), 6 deletions(-)

diff --git a/src/http/ngx_http_parse.c b/src/http/ngx_http_parse.c
index 2952e02ea..272f030ed 100644
--- a/src/http/ngx_http_parse.c
+++ b/src/http/ngx_http_parse.c
@@ -1187,16 +1187,11 @@ ngx_http_parse_complex_uri(ngx_http_request_t *r, ngx_uint_t merge_slashes)
             if (ch >= '0' && ch <= '9') {
                 ch = (u_char) ((decoded << 4) + ch - '0');
 
-                if (ch == '%') {
+                if (ch == '%' || ch == '#') {
                     state = sw_usual;
                     *u++ = ch;
                     ch = *p++;
                     break;
-                }
-
-                if (ch == '#') {
-                    *u++ = ch;
-                    ch = *p++;
 
                 } else if (ch == '\0') {
                     return NGX_HTTP_PARSE_INVALID_REQUEST;
@@ -1211,8 +1206,10 @@ ngx_http_parse_complex_uri(ngx_http_request_t *r, ngx_uint_t merge_slashes)
                 ch = (u_char) ((decoded << 4) + c - 'a' + 10);
 
                 if (ch == '?') {
+                    state = sw_usual;
                     *u++ = ch;
                     ch = *p++;
+                    break;
 
                 } else if (ch == '+') {
                     r->plus_in_uri = 1;