diff options
| -rw-r--r-- | src/http/ngx_http_parse.c | 23 | ||||
| -rw-r--r-- | src/http/ngx_http_request.c | 8 | ||||
| -rw-r--r-- | src/os/unix/ngx_files.h | 2 | ||||
| -rw-r--r-- | src/os/win32/ngx_files.h | 2 |
4 files changed, 10 insertions, 25 deletions
diff --git a/src/http/ngx_http_parse.c b/src/http/ngx_http_parse.c index 11e62e6ac..4aa1be8ed 100644 --- a/src/http/ngx_http_parse.c +++ b/src/http/ngx_http_parse.c @@ -1337,12 +1337,7 @@ ngx_http_parse_unsafe_uri(ngx_http_request_t *r, ngx_str_t *uri, goto unsafe; } - if (p[0] == '.' && len == 3 && p[1] == '.' && (p[2] == '/' -#if (NGX_WIN32) - || p[2] == '\\' -#endif - )) - { + if (p[0] == '.' && len == 3 && p[1] == '.' && (ngx_path_separator(p[2]))) { goto unsafe; } @@ -1367,30 +1362,22 @@ ngx_http_parse_unsafe_uri(ngx_http_request_t *r, ngx_str_t *uri, continue; } - if ((ch == '/' -#if (NGX_WIN32) - || ch == '\\' -#endif - ) && len > 2) - { + if (ngx_path_separator(ch) && len > 2) { + /* detect "/../" */ - if (p[0] == '.' && p[1] == '.' && p[2] == '/') { + if (p[0] == '.' && p[1] == '.' && ngx_path_separator(p[2])) { goto unsafe; } #if (NGX_WIN32) - if (p[2] == '\\') { - goto unsafe; - } - if (len > 3) { /* detect "/.../" */ if (p[0] == '.' && p[1] == '.' && p[2] == '.' - && (p[3] == '/' || p[3] == '\\')) + && ngx_path_separator(p[3])) { goto unsafe; } diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c index 31ab640e2..d06c6dd3f 100644 --- a/src/http/ngx_http_request.c +++ b/src/http/ngx_http_request.c @@ -1587,15 +1587,9 @@ ngx_http_validate_host(u_char *host, size_t len) continue; } - if (ch == '/' || ch == '\0') { + if (ngx_path_separator(ch) || ch == '\0') { return -1; } - -#if (NGX_WIN32) - if (ch == '\\') { - return -1; - } -#endif } if (dot) { diff --git a/src/os/unix/ngx_files.h b/src/os/unix/ngx_files.h index 63d080b5c..7d83b04e7 100644 --- a/src/os/unix/ngx_files.h +++ b/src/os/unix/ngx_files.h @@ -160,6 +160,8 @@ ngx_int_t ngx_set_file_time(u_char *name, ngx_fd_t fd, time_t s); #define ngx_realpath_n "realpath()" #define ngx_getcwd(buf, size) (getcwd(buf, size) != NULL) #define ngx_getcwd_n "getcwd()" +#define ngx_path_separator(c) ((c) == '/') + #define NGX_MAX_PATH PATH_MAX #define NGX_DIR_MASK_LEN 0 diff --git a/src/os/win32/ngx_files.h b/src/os/win32/ngx_files.h index f3561d9b3..1e2c630ae 100644 --- a/src/os/win32/ngx_files.h +++ b/src/os/win32/ngx_files.h @@ -154,6 +154,8 @@ char *ngx_realpath(u_char *path, u_char *resolved); #define ngx_realpath_n "" #define ngx_getcwd(buf, size) GetCurrentDirectory(size, buf) #define ngx_getcwd_n "GetCurrentDirectory()" +#define ngx_path_separator(c) ((c) == '/' || (c) == '\\') + #define NGX_MAX_PATH MAX_PATH |