[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 23 Nov 2009 16:12:44 +0300
From: Igor Sysoev <igor@...oev.ru>
To: Jan Lieskovsky <jlieskov@...hat.com>
Cc: oss-security@...ts.openwall.com
Subject: Re: CVEs for nginx
On Mon, Nov 23, 2009 at 12:12:53PM +0100, Jan Lieskovsky wrote:
> Hi Igor,
>
> Igor Sysoev wrote:
> > As I far I know - no.
>
> Josh, could you allocate one then?
>
> > This bug was fixed in 0.8.17 and 0.7.63:
> >
> > Changes with nginx 0.8.17 28 Sep 2009
> >
> > *) Security: now "/../" are disabled in "Destination" request header
> > line.
> >
> > Changes with nginx 0.7.63 26 Oct 2009
> >
> > *) Security: now "/../" are disabled in "Destination" request header
> > line.
> >
> > There is no patch, however, I can created it for you.
>
> That would be perfect.
The patch attached.
--
Igor Sysoev
http://sysoev.ru/en/
Index: src/http/ngx_http_request.h
===================================================================
--- src/http/ngx_http_request.h (revision 2480)
+++ src/http/ngx_http_request.h (revision 2481)
@@ -60,6 +60,7 @@
#define NGX_HTTP_ZERO_IN_URI 1
#define NGX_HTTP_SUBREQUEST_IN_MEMORY 2
#define NGX_HTTP_SUBREQUEST_WAITED 4
+#define NGX_HTTP_LOG_UNSAFE 8
#define NGX_HTTP_OK 200
Index: src/http/ngx_http_upstream.c
===================================================================
--- src/http/ngx_http_upstream.c (revision 2480)
+++ src/http/ngx_http_upstream.c (revision 2481)
@@ -1797,7 +1797,7 @@
uri = &u->headers_in.x_accel_redirect->value;
args.len = 0;
args.data = NULL;
- flags = 0;
+ flags = NGX_HTTP_LOG_UNSAFE;
if (ngx_http_parse_unsafe_uri(r, uri, &args, &flags) != NGX_OK) {
ngx_http_finalize_request(r, NGX_HTTP_NOT_FOUND);
Index: src/http/ngx_http_parse.c
===================================================================
--- src/http/ngx_http_parse.c (revision 2480)
+++ src/http/ngx_http_parse.c (revision 2481)
@@ -1322,8 +1322,10 @@
unsafe:
- ngx_log_error(NGX_LOG_ERR, r->connection->log, 0,
- "unsafe URI \"%V\" was detected", uri);
+ if (*flags & NGX_HTTP_LOG_UNSAFE) {
+ ngx_log_error(NGX_LOG_ERR, r->connection->log, 0,
+ "unsafe URI \"%V\" was detected", uri);
+ }
return NGX_ERROR;
}
Index: src/http/modules/ngx_http_ssi_filter_module.c
===================================================================
--- src/http/modules/ngx_http_ssi_filter_module.c (revision 2480)
+++ src/http/modules/ngx_http_ssi_filter_module.c (revision 2481)
@@ -1908,7 +1908,7 @@
args.len = 0;
args.data = NULL;
- flags = 0;
+ flags = NGX_HTTP_LOG_UNSAFE;
if (ngx_http_parse_unsafe_uri(r, uri, &args, &flags) != NGX_OK) {
return NGX_HTTP_SSI_ERROR;
Index: src/http/modules/ngx_http_dav_module.c
===================================================================
--- src/http/modules/ngx_http_dav_module.c (revision 2480)
+++ src/http/modules/ngx_http_dav_module.c (revision 2481)
@@ -516,8 +516,8 @@
size_t len, root;
ngx_err_t err;
ngx_int_t rc, depth;
- ngx_uint_t overwrite, slash, dir;
- ngx_str_t path, uri;
+ ngx_uint_t overwrite, slash, dir, flags;
+ ngx_str_t path, uri, duri, args;
ngx_tree_ctx_t tree;
ngx_copy_file_t cf;
ngx_file_info_t fi;
@@ -594,6 +594,14 @@
destination_done:
+ duri.len = last - p;
+ duri.data = p;
+ flags = 0;
+
+ if (ngx_http_parse_unsafe_uri(r, &duri, &args, &flags) != NGX_OK) {
+ goto invalid_destination;
+ }
+
if ((r->uri.data[r->uri.len - 1] == '/' && *(last - 1) != '/')
|| (r->uri.data[r->uri.len - 1] != '/' && *(last - 1) == '/'))
{
@@ -656,10 +664,8 @@
"http copy from: \"%s\"", path.data);
uri = r->uri;
+ r->uri = duri;
- r->uri.len = last - p;
- r->uri.data = p;
-
ngx_http_map_uri_to_path(r, ©.path, &root, 0);
r->uri = uri;
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Powered by Openwall GNU/*/Linux -
Powered by OpenVZ
