Exclude CR from HTTP Request splitting

2018-03-02 12:49:14 +03:00 · 2018-03-02 12:49:14 +03:00 · 2c44989f4a
parent 902e739106
commit 2c44989f4a
3 changed files with 8 additions and 1 deletions
--- a/gixy/plugins/http_splitting.py
+++ b/gixy/plugins/http_splitting.py
@ -28,11 +28,12 @@ class http_splitting(Plugin):
        if not value:
            return

+        server_side = directive.name.startswith('proxy_')
        for var in compile_script(value):
            char = ''
            if var.can_contain('\n'):
                char = '\\n'
-            elif var.can_contain('\r'):
+            elif not server_side and var.can_contain('\r'):
                char = '\\r'
            else:
                continue
--- a/tests/plugins/simply/http_splitting/proxy_pass_cr_fp.conf
+++ b/tests/plugins/simply/http_splitting/proxy_pass_cr_fp.conf
@ -0,0 +1,3 @@
+location ~* ^/test/(.*) {
+    proxy_pass http://10.10.10.10/$1;
+}
--- a/tests/plugins/simply/http_splitting/proxy_pass_lf.conf
+++ b/tests/plugins/simply/http_splitting/proxy_pass_lf.conf
@ -0,0 +1,3 @@
+location ~* ^/test/([^/]+)/ {
+    proxy_pass http://10.10.10.10/$1;
+}