bugfix: segmentation faults might happen when ngx.exec() was fed with unsafe URIs (openresty#905)

jayce · agentzh · commit 5134a9c824b4 · 2016-11-02T14:36:33.000-07:00
Signed-off-by: Yichun Zhang (agentzh) &lt;agentzh@gmail.com&gt;
diff --git a/src/ngx_http_lua_control.c b/src/ngx_http_lua_control.c
@@ -105,10 +105,10 @@ ngx_http_lua_ngx_exec(lua_State *L)
 
     ngx_http_lua_check_if_abortable(L, ctx);
 
-    if (ngx_http_parse_unsafe_uri(r, &uri, &args, &flags)
-        != NGX_OK)
-    {
-        return NGX_HTTP_INTERNAL_SERVER_ERROR;
+    flags = NGX_HTTP_LOG_UNSAFE;
+
+    if (ngx_http_parse_unsafe_uri(r, &uri, &args, &flags) != NGX_OK) {
+        return luaL_error(L, "unsafe uri");
     }
 
     if (n == 2) {
diff --git a/t/024-access/exec.t b/t/024-access/exec.t
@@ -3,9 +3,8 @@
 use Test::Nginx::Socket::Lua;
 
 repeat_each(2);
-#repeat_each(1);
 
-plan tests => blocks() * repeat_each() * 2;
+plan tests => repeat_each() * (blocks() * 2 + 2);
 
 #no_diff();
 #no_long_string();
@@ -349,3 +348,24 @@ hello
 --- response_body
 hello, bah
 
+
+
+=== TEST 16: github issue #905: unsafe uri
+--- config
+    location /read {
+        access_by_lua_block {
+            ngx.exec("/hi/../");
+        }
+    }
+    location /hi {
+        echo "Hello";
+    }
+--- request
+GET /read
+--- response_body_like: 500 Internal Server Error
+--- error_code: 500
+--- error_log eval
+[
+'unsafe URI "/hi/../" was detected',
+qr/runtime error: access_by_lua\(nginx.conf:\d+\):2: unsafe uri/,
+]
