Welcome! Log In Create A New Profile

ngx unescape uri bug

Forum List Message List New Topic Print View

David Shee

March 25, 2013 03:12AM

I'm Zuwen Shi from China,I find a unescape uri bug in your program.
The source code location is src\core\ngx_string.c->ngx_unescape_uri
If I put a string "%%s%elect",it convert the string to "%slect",and %% to
%,%el to l,actually the right convert is "%%s%elect".
So,I patch the ngx_unescape_uri like below,the red part is which I modified.
Nginx is a really nice project.

void
ngx_unescape_uri(u_char **dst, u_char **src, size_t size, ngx_uint_t type)
{
u_char *d, *s, ch, c, decoded;
enum {
sw_usual = 0,
sw_quoted,
sw_quoted_second
} state;

d = *dst;
s = *src;

state = 0;
decoded = 0;

while (size--) {

ch = *s++;

switch (state) {
case sw_usual:
if (ch == '?'
&& (type & (NGX_UNESCAPE_URI|NGX_UNESCAPE_REDIRECT)))
{
*d++ = ch;
goto done;
}

if (ch == '%'&&size>1) {
ch=*s;
c = (u_char) (ch | 0x20);
if ((ch >= '0' && ch <= '9')||(c >= 'a' && c <= 'f')) {
ch=*(s+1);
c = (u_char) (ch | 0x20);
if ((ch >= '0' && ch <= '9')||(c >= 'a' && c <= 'f')) {
state = sw_quoted;
break;
}
}
*d++ = '%';
break;
}

if (ch == '+') {
*d++ = ' ';
break;
}

*d++ = ch;
break;

case sw_quoted:

if (ch >= '0' && ch <= '9') {
decoded = (u_char) (ch - '0');
state = sw_quoted_second;
break;
}

c = (u_char) (ch | 0x20);
if (c >= 'a' && c <= 'f') {
decoded = (u_char) (c - 'a' + 10);
state = sw_quoted_second;
break;
}

/* the invalid quoted character */

state = sw_usual;

*d++ = ch;

break;

case sw_quoted_second:

state = sw_usual;

if (ch >= '0' && ch <= '9') {
ch = (u_char) ((decoded << 4) + ch - '0');

if (type & NGX_UNESCAPE_REDIRECT) {
if (ch > '%' && ch < 0x7f) {
*d++ = ch;
break;
}

*d++ = '%'; *d++ = *(s - 2); *d++ = *(s - 1);

break;
}

*d++ = ch;

break;
}

c = (u_char) (ch | 0x20);
if (c >= 'a' && c <= 'f') {
ch = (u_char) ((decoded << 4) + c - 'a' + 10);

if (type & NGX_UNESCAPE_URI) {
if (ch == '?') {
*d++ = ch;
goto done;
}

*d++ = ch;
break;
}

if (type & NGX_UNESCAPE_REDIRECT) {
if (ch == '?') {
*d++ = ch;
goto done;
}

if (ch > '%' && ch < 0x7f) {
*d++ = ch;
break;
}

*d++ = '%'; *d++ = *(s - 2); *d++ = *(s - 1);
break;
}

*d++ = ch;

break;
}

/* the invalid quoted character */

break;
}
}

done:

*dst = d;
*src = s;
}
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

Reply Quote

RSS