Hello!
[sorry for long delay, I had no time to review the patch]
On Sun, Oct 03, 2010 at 10:11:58AM -0400, rovervr wrote:
> This is the last version of the patch for version 0.8.52 which is now
> live on our production servers for several days without any flaws.
>
> http://www.coderain.de/nginx/nginx-0.8.52-xred.patch
>
> The escaping takes place at ngx_http_parse_unsafe_uri() as Maxim
> suggested.
s/escaping/unescaping/
This patch is wrong. It will unescape query string as well, which
is expected to remain escaped. Additionaly, at least "../" unsafe
check should be reconsidered after unescaping.
Maxim Dounin
_______________________________________________
nginx mailing list
nginx@nginx.org
http://nginx.org/mailman/listinfo/nginx