Mercurial > hg > nginx
changeset 4675:79c147bdeb6a
Win32: uris with ":$" are now rejected.
There are too many problems with special NTFS streams, notably "::$data",
"::$index_allocation" and ":$i30:$index_allocation".
For now we don't reject all URIs with ":" like Apache does as there are no
good reasons seen yet, and there are multiple programs using it in URLs
(e.g. MediaWiki).
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Tue, 05 Jun 2012 13:38:27 +0000 |
parents | 5d86ab8f2340 |
children | 61b6a3438afe |
files | src/http/ngx_http_request.c |
diffstat | 1 files changed, 22 insertions(+), 6 deletions(-) [+] |
line wrap: on
line diff
--- a/src/http/ngx_http_request.c Tue Jun 05 13:37:29 2012 +0000 +++ b/src/http/ngx_http_request.c Tue Jun 05 13:38:27 2012 +0000 @@ -812,7 +812,28 @@ #if (NGX_WIN32) { - u_char *p; + u_char *p, *last; + + p = r->uri.data; + last = r->uri.data + r->uri.len; + + while (p < last) { + + if (*p++ == ':') { + + /* + * this check covers "::$data", "::$index_allocation" and + * ":$i30:$index_allocation" + */ + + if (p < last && *p == '$') { + ngx_log_error(NGX_LOG_INFO, c->log, 0, + "client sent unsafe win32 URI"); + ngx_http_finalize_request(r, NGX_HTTP_BAD_REQUEST); + return; + } + } + } p = r->uri.data + r->uri.len - 1; @@ -828,11 +849,6 @@ continue; } - if (ngx_strncasecmp(p - 6, (u_char *) "::$data", 7) == 0) { - p -= 7; - continue; - } - break; }