Welcome! Log In Create A New Profile

Advanced

[nginx] Disabled control characters in URIs.

Maxim Dounin
June 28, 2021 02:38PM
details: https://hg.nginx.org/nginx/rev/b4073527be81
branches:
changeset: 7882:b4073527be81
user: Maxim Dounin <mdounin@mdounin.ru>
date: Mon Jun 28 18:01:15 2021 +0300
description:
Disabled control characters in URIs.

Control characters (0x00-0x1f, 0x7f) were never allowed in URIs, and must
be percent-encoded by clients. Further, these are not believed to appear
in practice. On the other hand, passing such characters might make various
attacks possible or easier, despite the fact that currently allowed control
characters are not significant for HTTP request parsing.

diffstat:

src/http/ngx_http_parse.c | 42 ++++++++++++++++++++++++++++--------------
1 files changed, 28 insertions(+), 14 deletions(-)

diffs (119 lines):

diff -r 52338ddf9e2f -r b4073527be81 src/http/ngx_http_parse.c
--- a/src/http/ngx_http_parse.c Mon Jun 28 18:01:13 2021 +0300
+++ b/src/http/ngx_http_parse.c Mon Jun 28 18:01:15 2021 +0300
@@ -11,7 +11,7 @@


static uint32_t usual[] = {
- 0xffffdbfe, /* 1111 1111 1111 1111 1101 1011 1111 1110 */
+ 0x00000000, /* 0000 0000 0000 0000 0000 0000 0000 0000 */

/* ?>=< ;:98 7654 3210 /.-, +*)( '&%$ #"! */
0x7fff37d6, /* 0111 1111 1111 1111 0011 0111 1101 0110 */
@@ -24,7 +24,7 @@ static uint32_t usual[] = {
#endif

/* ~}| {zyx wvut srqp onml kjih gfed cba` */
- 0xffffffff, /* 1111 1111 1111 1111 1111 1111 1111 1111 */
+ 0x7fffffff, /* 0111 1111 1111 1111 1111 1111 1111 1111 */

0xffffffff, /* 1111 1111 1111 1111 1111 1111 1111 1111 */
0xffffffff, /* 1111 1111 1111 1111 1111 1111 1111 1111 */
@@ -528,9 +528,10 @@ ngx_http_parse_request_line(ngx_http_req
case '+':
r->plus_in_uri = 1;
break;
- case '\0':
- return NGX_HTTP_PARSE_INVALID_REQUEST;
default:
+ if (ch < 0x20 || ch == 0x7f) {
+ return NGX_HTTP_PARSE_INVALID_REQUEST;
+ }
state = sw_check_uri;
break;
}
@@ -592,8 +593,11 @@ ngx_http_parse_request_line(ngx_http_req
case '+':
r->plus_in_uri = 1;
break;
- case '\0':
- return NGX_HTTP_PARSE_INVALID_REQUEST;
+ default:
+ if (ch < 0x20 || ch == 0x7f) {
+ return NGX_HTTP_PARSE_INVALID_REQUEST;
+ }
+ break;
}
break;

@@ -621,8 +625,11 @@ ngx_http_parse_request_line(ngx_http_req
case '#':
r->complex_uri = 1;
break;
- case '\0':
- return NGX_HTTP_PARSE_INVALID_REQUEST;
+ default:
+ if (ch < 0x20 || ch == 0x7f) {
+ return NGX_HTTP_PARSE_INVALID_REQUEST;
+ }
+ break;
}
break;

@@ -1118,8 +1125,6 @@ ngx_http_parse_uri(ngx_http_request_t *r
}

switch (ch) {
- case ' ':
- return NGX_ERROR;
case '.':
r->complex_uri = 1;
state = sw_uri;
@@ -1150,6 +1155,9 @@ ngx_http_parse_uri(ngx_http_request_t *r
r->plus_in_uri = 1;
break;
default:
+ if (ch <= 0x20 || ch == 0x7f) {
+ return NGX_ERROR;
+ }
state = sw_check_uri;
break;
}
@@ -1177,8 +1185,6 @@ ngx_http_parse_uri(ngx_http_request_t *r
case '.':
r->uri_ext = p + 1;
break;
- case ' ':
- return NGX_ERROR;
#if (NGX_WIN32)
case '\\':
r->complex_uri = 1;
@@ -1200,6 +1206,11 @@ ngx_http_parse_uri(ngx_http_request_t *r
case '+':
r->plus_in_uri = 1;
break;
+ default:
+ if (ch <= 0x20 || ch == 0x7f) {
+ return NGX_ERROR;
+ }
+ break;
}
break;

@@ -1211,11 +1222,14 @@ ngx_http_parse_uri(ngx_http_request_t *r
}

switch (ch) {
- case ' ':
- return NGX_ERROR;
case '#':
r->complex_uri = 1;
break;
+ default:
+ if (ch <= 0x20 || ch == 0x7f) {
+ return NGX_ERROR;
+ }
+ break;
}
break;
}
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel
Subject Author Views Posted

[nginx] Disabled control characters in URIs.

Maxim Dounin 88 June 28, 2021 02:38PM



Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 69
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready