Changes between Initial Version and Version 1 of Ticket #2472


Ignore:
Timestamp:
03/21/23 12:24:53 (21 months ago)
Author:
Weitian LI
Comment:

Legend:

Unmodified
Added
Removed
Modified

  • Ticket #2472 – Description

    initial v1  
    11Hi,
    22
    3 I found a request to `/../x` caused Nginx to response 400 with error:
     3I found a request to `/% 2e% 2e/x` caused Nginx to response 400 with error:
    44
    55{{{
    6 2023/03/21 17:06:55 [info] 1552400#1552400: *6 client sent invalid request while reading client request line, client: 127.0.0.1, server: _, request: "GET /../x HTTP/1.1"
     62023/03/21 17:06:55 [info] 1552400#1552400: *6 client sent invalid request while reading client request line, client: 127.0.0.1, server: _, request: "GET /% 2e% 2e/x HTTP/1.1"
    77}}}
    88
    9 Similarly, requests of `/..`, `/..`, and `/..` all give the same 400 result.
     9Similarly, requests of `/% 2e% 2e`, `/.% 2e`, and `/% 2e.` all give the same 400 result.
    1010
    11 However, requests of `/x/..`, `/x/..`, and `/x/..` all work as expected.  Meanwhile, request of `/..` is also OK (so `..` and `..` behave differently).
     11However, requests of `/x/% 2e% 2e`, `/x/.% 2e`, and `/x/% 2e.` all work as expected.  Meanwhile, request of `/..` is also OK (so `..` and `% 2e% 2e` behave differently).
    1212
    1313I traced the issue and found it was raised by [https://github.com/nginx/nginx/blame/master/src/http/ngx_http_parse.c#L1466], but I couldn't yet find the root cause.
    1414
     15N.B. please ignore the space between `%` and `2e`; otherwise, trac auto replace it with `.`.
     16
    1517Thank you.