Klaus Demo nginx / 0d7720d
Win32: uris with ":$" are now rejected. There are too many problems with special NTFS streams, notably "::$data", "::$index_allocation" and ":$i30:$index_allocation". For now we don't reject all URIs with ":" like Apache does as there are no good reasons seen yet, and there are multiple programs using it in URLs (e.g. MediaWiki). Maxim Dounin 7 years ago
1 changed file(s) with 22 addition(s) and 6 deletion(s). Raw diff Collapse all Expand all
811811
812812 #if (NGX_WIN32)
813813 {
814 u_char *p;
814 u_char *p, *last;
815
816 p = r->uri.data;
817 last = r->uri.data + r->uri.len;
818
819 while (p < last) {
820
821 if (*p++ == ':') {
822
823 /*
824 * this check covers "::$data", "::$index_allocation" and
825 * ":$i30:$index_allocation"
826 */
827
828 if (p < last && *p == '$') {
829 ngx_log_error(NGX_LOG_INFO, c->log, 0,
830 "client sent unsafe win32 URI");
831 ngx_http_finalize_request(r, NGX_HTTP_BAD_REQUEST);
832 return;
833 }
834 }
835 }
815836
816837 p = r->uri.data + r->uri.len - 1;
817838
824845
825846 if (*p == '.') {
826847 p--;
827 continue;
828 }
829
830 if (ngx_strncasecmp(p - 6, (u_char *) "::$data", 7) == 0) {
831 p -= 7;
832848 continue;
833849 }
834850