Ngx unescape uri bug

I’m Zuwen Shi from China,I find a unescape uri bug in your program.
The source code location is src\core\ngx_string.c->ngx_unescape_uri
If I put a string “%%s%elect”,it convert the string to “%slect”,and %%
to
%,%el to l,actually the right convert is “%%s%elect”.
So,I patch the ngx_unescape_uri like below,the red part is which I
modified.
Nginx is a really nice project.

void
ngx_unescape_uri(u_char **dst, u_char **src, size_t size, ngx_uint_t
type)
{
u_char *d, *s, ch, c, decoded;
enum {
sw_usual = 0,
sw_quoted,
sw_quoted_second
} state;

d = *dst;
s = *src;

state = 0;
decoded = 0;

while (size--) {

    ch = *s++;

    switch (state) {
    case sw_usual:
        if (ch == '?'
            && (type & (NGX_UNESCAPE_URI|NGX_UNESCAPE_REDIRECT)))
        {
            *d++ = ch;
            goto done;
        }

        if (ch == '%'&&size>1) {
            ch=*s;
            c = (u_char) (ch | 0x20);
            if ((ch >= '0' && ch <= '9')||(c >= 'a' && c <= 'f')) {
            ch=*(s+1);
            c = (u_char) (ch | 0x20);
            if ((ch >= '0' && ch <= '9')||(c >= 'a' && c <= 'f')) {
            state = sw_quoted;
            break;
            }
            }
            *d++ = '%';
            break;
        }

        if (ch == '+') {
        *d++ = ' ';
        break;
        }

        *d++ = ch;
        break;

    case sw_quoted:

        if (ch >= '0' && ch <= '9') {
            decoded = (u_char) (ch - '0');
            state = sw_quoted_second;
            break;
        }

        c = (u_char) (ch | 0x20);
        if (c >= 'a' && c <= 'f') {
            decoded = (u_char) (c - 'a' + 10);
            state = sw_quoted_second;
            break;
        }

        /* the invalid quoted character */

        state = sw_usual;

        *d++ = ch;

        break;

    case sw_quoted_second:

        state = sw_usual;

        if (ch >= '0' && ch <= '9') {
            ch = (u_char) ((decoded << 4) + ch - '0');

            if (type & NGX_UNESCAPE_REDIRECT) {
                if (ch > '%' && ch < 0x7f) {
                    *d++ = ch;
                    break;
                }

                *d++ = '%'; *d++ = *(s - 2); *d++ = *(s - 1);

                break;
            }

            *d++ = ch;

            break;
        }

        c = (u_char) (ch | 0x20);
        if (c >= 'a' && c <= 'f') {
            ch = (u_char) ((decoded << 4) + c - 'a' + 10);

            if (type & NGX_UNESCAPE_URI) {
                if (ch == '?') {
                    *d++ = ch;
                    goto done;
                }

                *d++ = ch;
                break;
            }

            if (type & NGX_UNESCAPE_REDIRECT) {
                if (ch == '?') {
                    *d++ = ch;
                    goto done;
                }

                if (ch > '%' && ch < 0x7f) {
                    *d++ = ch;
                    break;
                }

                *d++ = '%'; *d++ = *(s - 2); *d++ = *(s - 1);
                break;
            }

            *d++ = ch;

            break;
        }

        /* the invalid quoted character */

        break;
    }
}

done:

*dst = d;
*src = s;

}

Hello!

On Mon, Mar 25, 2013 at 03:11:10PM +0800, David Shee wrote:

I’m Zuwen Shi from China,I find a unescape uri bug in your program.
The source code location is src\core\ngx_string.c->ngx_unescape_uri
If I put a string “%%s%elect”,it convert the string to “%slect”,and %% to
%,%el to l,actually the right convert is “%%s%elect”.

I would rather say that behaviour is undefined in case of
incorrect input, and both results are correct.

So,I patch the ngx_unescape_uri like below,the red part is which I modified.

You may want to post unified diff into nginx-devel@ mailing list.
And please don’t use html. Thank you.


Maxim D.
http://nginx.org/en/donation.html