Skip to content

Commit

Permalink
Disabled spaces in URIs (ticket #196).
Browse files Browse the repository at this point in the history 
From now on, requests with spaces in URIs are immediately rejected rather
than allowed.  Spaces were allowed in 31e9677b15a1 (0.8.41) to handle bad
clients.  It is believed that now this behaviour causes more harm than
good.
  • Loading branch information
@mdounin
mdounin committed Jun 28, 2021
1 parent fee09fc commit 05395f4
Show file tree
Hide file tree
Showing 4 changed files with 11 additions and 70 deletions.
4 changes: 2 additions & 2 deletions src/http/modules/ngx_http_proxy_module.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1186,7 +1186,7 @@ ngx_http_proxy_create_key(ngx_http_request_t *r)

loc_len = (r->valid_location && ctx->vars.uri.len) ? plcf->location.len : 0;

if (r->quoted_uri || r->space_in_uri || r->internal) {
if (r->quoted_uri || r->internal) {
escape = 2 * ngx_escape_uri(NULL, r->uri.data + loc_len,
r->uri.len - loc_len, NGX_ESCAPE_URI);
} else {
Expand Down Expand Up @@ -1299,7 +1299,7 @@ ngx_http_proxy_create_request(ngx_http_request_t *r)
loc_len = (r->valid_location && ctx->vars.uri.len) ?
plcf->location.len : 0;

if (r->quoted_uri || r->space_in_uri || r->internal) {
if (r->quoted_uri || r->internal) {
escape = 2 * ngx_escape_uri(NULL, r->uri.data + loc_len,
r->uri.len - loc_len, NGX_ESCAPE_URI);
}
Expand Down
72 changes: 8 additions & 64 deletions src/http/ngx_http_parse.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -116,10 +116,8 @@ ngx_http_parse_request_line(ngx_http_request_t *r, ngx_buf_t *b)
sw_host_end,
sw_host_ip_literal,
sw_port,
sw_host_http_09,
sw_after_slash_in_uri,
sw_check_uri,
sw_check_uri_http_09,
sw_uri,
sw_http_09,
sw_http_H,
Expand Down Expand Up @@ -398,7 +396,7 @@ ngx_http_parse_request_line(ngx_http_request_t *r, ngx_buf_t *b)
*/
r->uri_start = r->schema_end + 1;
r->uri_end = r->schema_end + 2;
state = sw_host_http_09;
state = sw_http_09;
break;
default:
return NGX_HTTP_PARSE_INVALID_REQUEST;
Expand Down Expand Up @@ -472,35 +470,13 @@ ngx_http_parse_request_line(ngx_http_request_t *r, ngx_buf_t *b)
*/
r->uri_start = r->schema_end + 1;
r->uri_end = r->schema_end + 2;
state = sw_host_http_09;
break;
default:
return NGX_HTTP_PARSE_INVALID_REQUEST;
}
break;

/* space+ after "http://host[:port] " */
case sw_host_http_09:
switch (ch) {
case ' ':
break;
case CR:
r->http_minor = 9;
state = sw_almost_done;
break;
case LF:
r->http_minor = 9;
goto done;
case 'H':
r->http_protocol.data = p;
state = sw_http_H;
state = sw_http_09;
break;
default:
return NGX_HTTP_PARSE_INVALID_REQUEST;
}
break;


/* check "/.", "//", "%", and "\" (Win32) in URI */
case sw_after_slash_in_uri:

Expand All @@ -512,7 +488,7 @@ ngx_http_parse_request_line(ngx_http_request_t *r, ngx_buf_t *b)
switch (ch) {
case ' ':
r->uri_end = p;
state = sw_check_uri_http_09;
state = sw_http_09;
break;
case CR:
r->uri_end = p;
Expand Down Expand Up @@ -584,7 +560,7 @@ ngx_http_parse_request_line(ngx_http_request_t *r, ngx_buf_t *b)
break;
case ' ':
r->uri_end = p;
state = sw_check_uri_http_09;
state = sw_http_09;
break;
case CR:
r->uri_end = p;
Expand Down Expand Up @@ -621,31 +597,6 @@ ngx_http_parse_request_line(ngx_http_request_t *r, ngx_buf_t *b)
}
break;

/* space+ after URI */
case sw_check_uri_http_09:
switch (ch) {
case ' ':
break;
case CR:
r->http_minor = 9;
state = sw_almost_done;
break;
case LF:
r->http_minor = 9;
goto done;
case 'H':
r->http_protocol.data = p;
state = sw_http_H;
break;
default:
r->space_in_uri = 1;
state = sw_check_uri;
p--;
break;
}
break;


/* URI */
case sw_uri:

Expand Down Expand Up @@ -692,10 +643,7 @@ ngx_http_parse_request_line(ngx_http_request_t *r, ngx_buf_t *b)
state = sw_http_H;
break;
default:
r->space_in_uri = 1;
state = sw_uri;
p--;
break;
return NGX_HTTP_PARSE_INVALID_REQUEST;
}
break;

Expand Down Expand Up @@ -1171,9 +1119,7 @@ ngx_http_parse_uri(ngx_http_request_t *r)

switch (ch) {
case ' ':
r->space_in_uri = 1;
state = sw_check_uri;
break;
return NGX_ERROR;
case '.':
r->complex_uri = 1;
state = sw_uri;
Expand Down Expand Up @@ -1232,8 +1178,7 @@ ngx_http_parse_uri(ngx_http_request_t *r)
r->uri_ext = p + 1;
break;
case ' ':
r->space_in_uri = 1;
break;
return NGX_ERROR;
#if (NGX_WIN32)
case '\\':
r->complex_uri = 1;
Expand Down Expand Up @@ -1267,8 +1212,7 @@ ngx_http_parse_uri(ngx_http_request_t *r)

switch (ch) {
case ' ':
r->space_in_uri = 1;
break;
return NGX_ERROR;
case '#':
r->complex_uri = 1;
break;
Expand Down
2 changes: 1 addition & 1 deletion src/http/ngx_http_request.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1264,7 +1264,7 @@ ngx_http_process_request_uri(ngx_http_request_t *r)
r->unparsed_uri.len = r->uri_end - r->uri_start;
r->unparsed_uri.data = r->uri_start;

r->valid_unparsed_uri = (r->space_in_uri || r->empty_path_in_uri) ? 0 : 1;
r->valid_unparsed_uri = r->empty_path_in_uri ? 0 : 1;

if (r->uri_ext) {
if (r->args_start) {
Expand Down
3 changes: 0 additions & 3 deletions src/http/ngx_http_request.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -468,9 +468,6 @@ struct ngx_http_request_s {
/* URI with "+" */
unsigned plus_in_uri:1;

/* URI with " " */
unsigned space_in_uri:1;

/* URI with empty path */
unsigned empty_path_in_uri:1;

Expand Down

0 comments on commit 05395f4

Please sign in to comment.