Changeset 4675:79c147bdeb6a in nginx


Ignore:
Timestamp:
06/05/12 13:38:27 (4 years ago)
Author:
Maxim Dounin <mdounin@…>
Branch:
default
Convert:
svn:c3fe7df1-7212-e011-8a91-001109144009/trunk@4676
Message:

Win32: uris with ":$" are now rejected.

There are too many problems with special NTFS streams, notably "::$data",
"::$index_allocation" and ":$i30:$index_allocation".

For now we don't reject all URIs with ":" like Apache does as there are no
good reasons seen yet, and there are multiple programs using it in URLs
(e.g. MediaWiki?).

File:
1 edited

Legend:

Unmodified
Added
Removed
  • src/http/ngx_http_request.c

    r4640 r4675  
    813813#if (NGX_WIN32)
    814814            {
    815             u_char  *p;
     815            u_char  *p, *last;
     816
     817            p = r->uri.data;
     818            last = r->uri.data + r->uri.len;
     819
     820            while (p < last) {
     821
     822                if (*p++ == ':') {
     823
     824                    /*
     825                     * this check covers "::$data", "::$index_allocation" and
     826                     * ":$i30:$index_allocation"
     827                     */
     828
     829                    if (p < last && *p == '$') {
     830                        ngx_log_error(NGX_LOG_INFO, c->log, 0,
     831                                      "client sent unsafe win32 URI");
     832                        ngx_http_finalize_request(r, NGX_HTTP_BAD_REQUEST);
     833                        return;
     834                    }
     835                }
     836            }
    816837
    817838            p = r->uri.data + r->uri.len - 1;
     
    826847                if (*p == '.') {
    827848                    p--;
    828                     continue;
    829                 }
    830 
    831                 if (ngx_strncasecmp(p - 6, (u_char *) "::$data", 7) == 0) {
    832                     p -= 7;
    833849                    continue;
    834850                }
Note: See TracChangeset for help on using the changeset viewer.