bugfix: ensured arguments of APIs mutating uri or request/response headers do not contain unsafe characters. (#1654)

Signed-off-by: Thibault Charbonnier <[email protected]>

Author: doujiang24

README.markdown

@@ -4251,10 +4251,8 @@ to be returned when reading `ngx.header.Foo`.
 
 Note that `ngx.header` is not a normal Lua table and as such, it is not possible to iterate through it using the Lua `ipairs` function.
 
-Note: `HEADER` and `VALUE` will be truncated if they
-contain the `\r` or `\n` characters. The truncated values
-will contain all characters up to (and excluding) the first occurrence of
-`\r` or `\n`.
+Note: this function throws a Lua error if `HEADER` or
+`VALUE` contain unsafe characters (control characters).
 
 For reading *request* headers, use the [ngx.req.get_headers](#ngxreqget_headers) function instead.
 
@@ -4499,6 +4497,9 @@ which is functionally equivalent to
  }
 ```
 
+Note: this function throws a Lua error if the `uri` argument
+contains unsafe characters (control characters).
+
 Note that it is not possible to use this interface to rewrite URI arguments and that [ngx.req.set_uri_args](#ngxreqset_uri_args) should be used for this instead. For instance, Nginx config
 
 ```nginx
@@ -4914,6 +4915,9 @@ is equivalent to
  ngx.req.clear_header("X-Foo")
 ```
 
+Note: this function throws a Lua error if `header_name` or
+`header_value` contain unsafe characters (control characters).
+
 [Back to TOC](#nginx-api-for-lua)
 
 ngx.req.clear_header
@@ -5247,12 +5251,8 @@ ngx.redirect
 
 Issue an `HTTP 301` or `302` redirection to `uri`.
 
-Notice: the `uri` should not contains `\r` or `\n`, otherwise, the characters after `\r` or `\n` will be truncated, including the `\r` or `\n` bytes themself.
-
-The `uri` argument will be truncated if it contains the
-`\r` or `\n` characters. The truncated value will contain
-all characters up to (and excluding) the first occurrence of `\r` or
-`\n`.
+Note: this function throws a Lua error if the `uri` argument
+contains unsafe characters (control characters).
 
 The optional `status` parameter specifies the HTTP status code to be used. The following status codes are supported right now:
 

doc/HttpLuaModule.wiki

@@ -3533,10 +3533,8 @@ to be returned when reading <code>ngx.header.Foo</code>.
 
 Note that <code>ngx.header</code> is not a normal Lua table and as such, it is not possible to iterate through it using the Lua <code>ipairs</code> function.
 
-Note: <code>HEADER</code> and <code>VALUE</code> will be truncated if they
-contain the <code>\r</code> or <code>\n</code> characters. The truncated values
-will contain all characters up to (and excluding) the first occurrence of
-<code>\r</code> or <code>\n</code>.
+Note: this function throws a Lua error if <code>HEADER</code> or
+<code>VALUE</code> contain unsafe characters (control characters).
 
 For reading ''request'' headers, use the [[#ngx.req.get_headers|ngx.req.get_headers]] function instead.
 
@@ -3746,6 +3744,9 @@ which is functionally equivalent to
     }
 </geshi>
 
+Note: this function throws a Lua error if the <code>uri</code> argument
+contains unsafe characters (control characters).
+
 Note that it is not possible to use this interface to rewrite URI arguments and that [[#ngx.req.set_uri_args|ngx.req.set_uri_args]] should be used for this instead. For instance, Nginx config
 
 <geshi lang="nginx">
@@ -4110,6 +4111,9 @@ is equivalent to
     ngx.req.clear_header("X-Foo")
 </geshi>
 
+Note: this function throws a Lua error if <code>header_name</code> or
+<code>header_value</code> contain unsafe characters (control characters).
+
 == ngx.req.clear_header ==
 
 '''syntax:''' ''ngx.req.clear_header(header_name)''
@@ -4398,12 +4402,8 @@ It is recommended that a coding style that combines this method call with the <c
 
 Issue an <code>HTTP 301</code> or <code>302</code> redirection to <code>uri</code>.
 
-Notice: the <code>uri</code> should not contains <code>\r</code> or <code>\n</code>, otherwise, the characters after <code>\r</code> or <code>\n</code> will be truncated, including the <code>\r</code> or <code>\n</code> bytes themself.
-
-The <code>uri</code> argument will be truncated if it contains the
-<code>\r</code> or <code>\n</code> characters. The truncated value will contain
-all characters up to (and excluding) the first occurrence of <code>\r</code> or
-<code>\n</code>.
+Note: this function throws a Lua error if the <code>uri</code> argument
+contains unsafe characters (control characters).
 
 The optional <code>status</code> parameter specifies the HTTP status code to be used. The following status codes are supported right now:
 

src/ngx_http_lua_control.c

@@ -239,7 +239,9 @@ ngx_http_lua_ngx_redirect(lua_State *L)
                           "the headers");
     }
 
-    len = ngx_http_lua_safe_header_value_len(p, len);
+    if (ngx_http_lua_check_header_safe(r, p, len) != NGX_OK) {
+        return luaL_error(L, "attempt to use unsafe uri");
+    }
 
     uri = ngx_palloc(r->pool, len);
     if (uri == NULL) {

src/ngx_http_lua_headers_in.c

@@ -658,6 +658,12 @@ ngx_http_lua_set_input_header(ngx_http_request_t *r, ngx_str_t key,
 
     dd("set header value: %.*s", (int) value.len, value.data);
 
+    if (ngx_http_lua_check_header_safe(r, key.data, key.len) != NGX_OK
+        || ngx_http_lua_check_header_safe(r, value.data, value.len) != NGX_OK)
+    {
+        return NGX_ERROR;
+    }
+
     hv.hash = ngx_hash_key_lc(key.data, key.len);
     hv.key = key;
 

src/ngx_http_lua_headers_out.c

@@ -491,9 +491,11 @@ ngx_http_lua_set_output_header(ngx_http_request_t *r, ngx_http_lua_ctx_t *ctx,
 
     dd("set header value: %.*s", (int) value.len, value.data);
 
-    key.len = ngx_http_lua_safe_header_value_len(key.data, key.len);
-
-    value.len = ngx_http_lua_safe_header_value_len(value.data, value.len);
+    if (ngx_http_lua_check_header_safe(r, key.data, key.len) != NGX_OK
+        || ngx_http_lua_check_header_safe(r, value.data, value.len) != NGX_OK)
+    {
+        return NGX_ERROR;
+    }
 
     hv.hash = ngx_hash_key_lc(key.data, key.len);
     hv.key = key;

src/ngx_http_lua_uri.c

@@ -16,6 +16,8 @@
 
 
 static int ngx_http_lua_ngx_req_set_uri(lua_State *L);
+static ngx_int_t ngx_http_lua_check_uri_safe(ngx_http_request_t *r,
+    u_char *str, size_t len);
 
 
 void
@@ -55,6 +57,10 @@ ngx_http_lua_ngx_req_set_uri(lua_State *L)
         return luaL_error(L, "attempt to use zero-length uri");
     }
 
+    if (ngx_http_lua_check_uri_safe(r, p, len) != NGX_OK) {
+        return luaL_error(L, "attempt to use unsafe uri");
+    }
+
     if (n == 2) {
 
         luaL_checktype(L, 2, LUA_TBOOLEAN);
@@ -107,4 +113,57 @@ ngx_http_lua_ngx_req_set_uri(lua_State *L)
     return 0;
 }
 
+
+static ngx_inline ngx_int_t
+ngx_http_lua_check_uri_safe(ngx_http_request_t *r, u_char *str, size_t len)
+{
+    size_t           i, buf_len;
+    u_char           c;
+    u_char          *buf, *src = str;
+
+                     /* %00-%1F, " ", %7F */
+
+    static uint32_t  unsafe[] = {
+        0xffffffff, /* 1111 1111 1111 1111  1111 1111 1111 1111 */
+
+                    /* ?>=< ;:98 7654 3210  /.-, +*)( '&%$ #"!  */
+        0x00000001, /* 0000 0000 0000 0000  0000 0000 0000 0001 */
+
+                    /* _^]\ [ZYX WVUT SRQP  ONML KJIH GFED CBA@ */
+        0x00000000, /* 0000 0000 0000 0000  0000 0000 0000 0000 */
+
+                    /*  ~}| {zyx wvut srqp  onml kjih gfed cba` */
+        0x80000000, /* 1000 0000 0000 0000  0000 0000 0000 0000 */
+
+        0x00000000, /* 0000 0000 0000 0000  0000 0000 0000 0000 */
+        0x00000000, /* 0000 0000 0000 0000  0000 0000 0000 0000 */
+        0x00000000, /* 0000 0000 0000 0000  0000 0000 0000 0000 */
+        0x00000000  /* 0000 0000 0000 0000  0000 0000 0000 0000 */
+    };
+
+    for (i = 0; i < len; i++, str++) {
+        c = *str;
+        if (unsafe[c >> 5] & (1 << (c & 0x1f))) {
+            buf_len = ngx_http_lua_escape_log(NULL, src, len);
+            buf = ngx_palloc(r->pool, buf_len);
+            if (buf == NULL) {
+                return NGX_ERROR;
+            }
+
+            ngx_http_lua_escape_log(buf, src, len);
+
+            ngx_log_error(NGX_LOG_ERR, r->connection->log, 0,
+                          "unsafe byte \"0x%uxd\" in uri \"%*s\"",
+                          (unsigned) c, buf_len, buf);
+
+            ngx_pfree(r->pool, buf);
+
+            return NGX_ERROR;
+        }
+    }
+
+    return NGX_OK;
+}
+
+
 /* vi:set ft=c ts=4 sw=4 et fdm=marker: */

src/ngx_http_lua_util.c

@@ -4261,4 +4261,123 @@ ngx_http_lua_set_sa_restart(ngx_log_t *log)
 #endif
 
 
+size_t
+ngx_http_lua_escape_log(u_char *dst, u_char *src, size_t size)
+{
+    size_t          n;
+    u_char          c;
+    static u_char   hex[] = "0123456789ABCDEF";
+
+    static uint32_t escape[] = {
+        0xffffffff, /* 1111 1111 1111 1111  1111 1111 1111 1111 */
+
+                    /* ?>=< ;:98 7654 3210  /.-, +*)( '&%$ #"!  */
+        0x00000004, /* 0000 0000 0000 0000  0000 0000 0000 0100 */
+
+                    /* _^]\ [ZYX WVUT SRQP  ONML KJIH GFED CBA@ */
+        0x10000000, /* 0001 0000 0000 0000  0000 0000 0000 0000 */
+
+                    /*  ~}| {zyx wvut srqp  onml kjih gfed cba` */
+        0x80000000, /* 1000 0000 0000 0000  0000 0000 0000 0000 */
+
+        0xffffffff, /* 1111 1111 1111 1111  1111 1111 1111 1111 */
+        0xffffffff, /* 1111 1111 1111 1111  1111 1111 1111 1111 */
+        0xffffffff, /* 1111 1111 1111 1111  1111 1111 1111 1111 */
+        0xffffffff, /* 1111 1111 1111 1111  1111 1111 1111 1111 */
+    };
+
+    if (dst == NULL) {
+
+        /* find the number of characters to be escaped */
+
+        n = 0;
+
+        while (size) {
+            c = *src;
+            if (escape[c >> 5] & (1 << (c & 0x1f))) {
+                n += 4;
+
+            } else {
+                n++;
+            }
+
+            src++;
+            size--;
+        }
+
+        return n;
+    }
+
+    while (size) {
+        c = *src;
+        if (escape[c >> 5] & (1 << (c & 0x1f))) {
+            *dst++ = '\\';
+            *dst++ = 'x';
+            *dst++ = hex[*src >> 4];
+            *dst++ = hex[*src & 0xf];
+            src++;
+
+        } else {
+            *dst++ = *src++;
+        }
+
+        size--;
+    }
+
+    return 0;
+}
+
+
+ngx_inline ngx_int_t
+ngx_http_lua_check_header_safe(ngx_http_request_t *r, u_char *str, size_t len)
+{
+    size_t           i, buf_len;
+    u_char           c;
+    u_char          *buf, *src = str;
+
+                     /* %00-%1F, %7F */
+
+    static uint32_t  unsafe[] = {
+        0xffffffff, /* 1111 1111 1111 1111  1111 1111 1111 1111 */
+
+                    /* ?>=< ;:98 7654 3210  /.-, +*)( '&%$ #"!  */
+        0x00000000, /* 0000 0000 0000 0000  0000 0000 0000 0000 */
+
+                    /* _^]\ [ZYX WVUT SRQP  ONML KJIH GFED CBA@ */
+        0x00000000, /* 0000 0000 0000 0000  0000 0000 0000 0000 */
+
+                    /*  ~}| {zyx wvut srqp  onml kjih gfed cba` */
+        0x80000000, /* 1000 0000 0000 0000  0000 0000 0000 0000 */
+
+        0x00000000, /* 0000 0000 0000 0000  0000 0000 0000 0000 */
+        0x00000000, /* 0000 0000 0000 0000  0000 0000 0000 0000 */
+        0x00000000, /* 0000 0000 0000 0000  0000 0000 0000 0000 */
+        0x00000000  /* 0000 0000 0000 0000  0000 0000 0000 0000 */
+    };
+
+    for (i = 0; i < len; i++, str++) {
+        c = *str;
+        if (unsafe[c >> 5] & (1 << (c & 0x1f))) {
+            buf_len = ngx_http_lua_escape_log(NULL, src, len);
+            buf = ngx_palloc(r->pool, buf_len);
+            if (buf == NULL) {
+                return NGX_ERROR;
+            }
+
+            ngx_http_lua_escape_log(buf, src, len);
+
+            ngx_log_error(NGX_LOG_ERR, r->connection->log, 0,
+                          "unsafe byte \"0x%uxd\" in header \"%*s\"",
+                          (unsigned) c, buf_len, buf);
+
+            ngx_pfree(r->pool, buf);
+
+            return NGX_ERROR;
+        }
+    }
+
+    return NGX_OK;
+}
+
+
 /* vi:set ft=c ts=4 sw=4 et fdm=marker: */

src/ngx_http_lua_util.h

@@ -241,20 +241,9 @@ void ngx_http_lua_cleanup_free(ngx_http_request_t *r,
 void ngx_http_lua_set_sa_restart(ngx_log_t *log);
 #endif
 
-
-static ngx_inline size_t
-ngx_http_lua_safe_header_value_len(u_char *str, size_t len)
-{
-    size_t i;
-
-    for (i = 0; i < len; i++, str++) {
-        if (*str == '\r' || *str == '\n') {
-            return i;
-        }
-    }
-
-    return len;
-}
+size_t ngx_http_lua_escape_log(u_char *dst, u_char *src, size_t size);
+ngx_int_t ngx_http_lua_check_header_safe(ngx_http_request_t *r, u_char *str,
+    size_t len);
 
 
 static ngx_inline void