bugfix: ngx_http_static_module: the 'Locatoin' response header value was not properly encoded by URI rules.

This may impose security vulnerabilities for Location values from
untrusted sources.

The corresponding tests are in the lua-nginx-module repo.
pull/630/head
lijunlong 4 years ago committed by Yichun Zhang (agentzh)
parent 4568281eaf
commit 6985198d46

@ -0,0 +1,50 @@
diff --git a/src/http/modules/ngx_http_static_module.c b/src/http/modules/ngx_http_static_module.c
index 282d6ee..899e11e 100644
--- a/src/http/modules/ngx_http_static_module.c
+++ b/src/http/modules/ngx_http_static_module.c
@@ -58,6 +58,8 @@ ngx_http_static_handler(ngx_http_request_t *r)
ngx_chain_t out;
ngx_open_file_info_t of;
ngx_http_core_loc_conf_t *clcf;
+ u_char *uri;
+ uintptr_t escape;
if (!(r->method & (NGX_HTTP_GET|NGX_HTTP_HEAD|NGX_HTTP_POST))) {
return NGX_HTTP_NOT_ALLOWED;
@@ -162,9 +164,21 @@ ngx_http_static_handler(ngx_http_request_t *r)
*last = '/';
+ escape = 2 * ngx_escape_uri(NULL, location, len, NGX_ESCAPE_URI);
+ if (escape > 0) {
+ uri = ngx_pnalloc(r->pool, len + escape);
+ if (uri == NULL) {
+ return NGX_ERROR;
+ }
+ ngx_escape_uri(uri, location, len, NGX_ESCAPE_URI);
+ location = uri;
+ len += escape;
+ }
+
} else {
+ escape = 2 * ngx_escape_uri(NULL, r->uri.data, r->uri.len, NGX_ESCAPE_URI);
if (r->args.len) {
- len += r->args.len + 1;
+ len += r->args.len + 1 + escape;
}
location = ngx_pnalloc(r->pool, len);
@@ -173,7 +187,12 @@ ngx_http_static_handler(ngx_http_request_t *r)
return NGX_HTTP_INTERNAL_SERVER_ERROR;
}
- last = ngx_copy(location, r->uri.data, r->uri.len);
+ if (escape > 0) {
+ last = (u_char *) ngx_escape_uri(location, r->uri.data, r->uri.len, NGX_ESCAPE_URI);
+
+ } else {
+ last = ngx_copy(location, r->uri.data, r->uri.len);
+ }
*last = '/';

@ -443,6 +443,13 @@ fi
rm -f *.patch || exit 1
answer=`$root/util/ver-ge "$main_ver" 1.17.8`
if [ "$answer" = "Y" ]; then
echo "$info_txt applying the patch for nginx security issue https://hackerone.com/reports/513236"
patch -p1 < $root/patches/nginx-$main_ver-static_mod_escape_loc_hdr.patch
echo
fi
echo "$info_txt applying the always_enable_cc_feature_tests patch to nginx"
patch -p1 < $root/patches/nginx-$main_ver-always_enable_cc_feature_tests.patch
echo

Loading…
Cancel
Save