feature: ngx.req.set_uri_args() now automatically escapes control and whitespace characters if the query-string is provided directly.

Signed-off-by: Yichun Zhang (agentzh) <yichun@openresty.com>

Author: zhuizhuhaomeng

README.markdown

@@ -4552,7 +4552,12 @@ or a Lua table holding the query arguments' key-value pairs, as in
  ngx.req.set_uri_args({ a = 3, b = "hello world" })
 ```
 
-where in the latter case, this method will escape argument keys and values according to the URI escaping rule.
+In the former case, i.e., when the whole query-strng is provided directly,
+the input Lua string should already be well-formed with the URI encoding.
+For security considerations, his method will autoamticaly escape any control and
+whitespace characters (ASCII code 0x00 ~ 0x32 and 0x7F) in the Lua string.
+
+In the latter case, this method will escape argument keys and values according to the URI escaping rule.
 
 Multi-value arguments are also supported:
 

doc/HttpLuaModule.wiki

@@ -3791,7 +3791,12 @@ or a Lua table holding the query arguments' key-value pairs, as in
  ngx.req.set_uri_args({ a = 3, b = "hello world" })
 </geshi>
 
-where in the latter case, this method will escape argument keys and values according to the URI escaping rule.
+In the former case, i.e., when the whole query-strng is provided directly,
+the input Lua string should already be well-formed with the URI encoding.
+For security considerations, his method will autoamticaly escape any control and
+whitespace characters (ASCII code 0x00 ~ 0x32 and 0x7F) in the Lua string.
+
+In the latter case, this method will escape argument keys and values according to the URI escaping rule.
 
 Multi-value arguments are also supported:
 

src/ngx_http_lua_args.c

@@ -19,6 +19,66 @@ static int ngx_http_lua_ngx_req_set_uri_args(lua_State *L);
 static int ngx_http_lua_ngx_req_get_post_args(lua_State *L);
 
 
+uintptr_t
+ngx_http_lua_escape_args(u_char *dst, u_char *src, size_t size)
+{
+ ngx_uint_t n;
+ static u_char hex[] = "0123456789ABCDEF";
+
+ /* %00-%20 %7F*/
+
+ static uint32_t escape[] = {
+ 0xffffffff, /* 1111 1111 1111 1111 1111 1111 1111 1111 */
+
+ /* ?>=< ;:98 7654 3210 /.-, +*)( '&%$ #"! */
+ 0x00000001, /* 0000 0000 0000 0000 0000 0000 0000 0001 */
+
+ /* _^]\ [ZYX WVUT SRQP ONML KJIH GFED CBA@ */
+ 0x00000000, /* 0000 0000 0000 0000 0000 0000 0000 0000 */
+
+ /* ~}| {zyx wvut srqp onml kjih gfed cba` */
+ 0x80000000, /* 1000 0000 0000 0000 0000 0000 0000 0000 */
+
+ 0x00000000, /* 0000 0000 0000 0000 0000 0000 0000 0000 */
+ 0x00000000, /* 0000 0000 0000 0000 0000 0000 0000 0000 */
+ 0x00000000, /* 0000 0000 0000 0000 0000 0000 0000 0000 */
+ 0x00000000, /* 0000 0000 0000 0000 0000 0000 0000 0000 */
+ };
+
+ if (dst == NULL) {
+
+ /* find the number of the characters to be escaped */
+
+ n = 0;
+
+ while (size) {
+ if (escape[*src >> 5] & (1 << (*src & 0x1f))) {
+ n++;
+ }
+ src++;
+ size--;
+ }
+
+ return (uintptr_t) n;
+ }
+
+ while (size) {
+ if (escape[*src >> 5] & (1 << (*src & 0x1f))) {
+ *dst++ = '%';
+ *dst++ = hex[*src >> 4];
+ *dst++ = hex[*src & 0xf];
+ src++;
+
+ } else {
+ *dst++ = *src++;
+ }
+ size--;
+ }
+
+ return (uintptr_t) dst;
+}
+
+
 static int
 ngx_http_lua_ngx_req_set_uri_args(lua_State *L)
 {
@@ -27,6 +87,7 @@ ngx_http_lua_ngx_req_set_uri_args(lua_State *L)
  const char *msg;
  size_t len;
  u_char *p;
+ uintptr_t escape;
 
  if (lua_gettop(L) != 1) {
  return luaL_error(L, "expecting 1 argument but seen %d",
@@ -42,7 +103,6 @@ ngx_http_lua_ngx_req_set_uri_args(lua_State *L)
 
  switch (lua_type(L, 1)) {
  case LUA_TNUMBER:
- case LUA_TSTRING:
  p = (u_char *) lua_tolstring(L, 1, &len);
 
  args.data = ngx_palloc(r->pool, len);
@@ -55,6 +115,32 @@ ngx_http_lua_ngx_req_set_uri_args(lua_State *L)
  args.len = len;
  break;
 
+ case LUA_TSTRING:
+ p = (u_char *) lua_tolstring(L, 1, &len);
+
+ escape = ngx_http_lua_escape_args(NULL, p, len);
+ if (escape > 0) {
+ args.len = len + 2 * escape;
+ args.data = ngx_palloc(r->pool, args.len);
+ if (args.data == NULL) {
+ return NGX_ERROR;
+ }
+
+ ngx_http_lua_escape_args(args.data, p, len);
+
+ } else {
+ args.data = ngx_palloc(r->pool, len);
+ if (args.data == NULL) {
+ return luaL_error(L, "no memory");
+ }
+
+ ngx_memcpy(args.data, p, len);
+
+ args.len = len;
+ }
+
+ break;
+
  case LUA_TTABLE:
  ngx_http_lua_process_args_option(r, L, 1, &args);
 

t/030-uri-args-with-ctrl.t

@@ -0,0 +1,137 @@
+# vim:set ft= ts=4 sw=4 et fdm=marker:
+use Test::Nginx::Socket::Lua;
+
+log_level('warn');
+
+repeat_each(2);
+
+plan tests => repeat_each() * (blocks() * 2 + 3);
+
+no_root_location();
+
+no_long_string();
+run_tests();
+
+__DATA__
+
+=== TEST 1: rewrite args (string with \r)
+--- config
+ location /foo {
+ rewrite_by_lua_block {
+ ngx.req.set_uri_args("a\rb")
+ }
+ proxy_pass http://127.0.0.1:$TEST_NGINX_SERVER_PORT/echo;
+ }
+ location /echo {
+ content_by_lua_block {
+ ngx.say(ngx.var.request_uri);
+ }
+ }
+--- request
+GET /foo?world
+--- error_code: 200
+--- response_body
+/echo?a%0Db
+
+
+
+=== TEST 2: rewrite args (string with \n)
+--- config
+ location /foo {
+ rewrite_by_lua_block {
+ ngx.req.set_uri_args("a\nb")
+ }
+ proxy_pass http://127.0.0.1:$TEST_NGINX_SERVER_PORT/echo;
+ }
+ location /echo {
+ content_by_lua_block {
+ ngx.say(ngx.var.request_uri);
+ }
+ }
+--- request
+GET /foo?world
+--- response_body
+/echo?a%0Ab
+
+
+
+=== TEST 3: rewrite args (string with \0)
+--- config
+ location /foo {
+ rewrite_by_lua_block {
+ ngx.req.set_uri_args("a\0b")
+ }
+ proxy_pass http://127.0.0.1:$TEST_NGINX_SERVER_PORT/echo;
+ }
+ location /echo {
+ content_by_lua_block {
+ ngx.say(ngx.var.request_uri);
+ }
+ }
+--- request
+GET /foo?world
+--- response_body
+/echo?a%00b
+
+
+
+=== TEST 4: rewrite args (string arg with 'lang=中文')
+ngx.req.set_uri_args with string argument should be carefully encoded.
+For backward compatibility, we are allowed to pass such parameters.
+--- config
+ location /foo {
+ rewrite_by_lua_block {
+ ngx.req.set_uri_args("lang=中文")
+ }
+ content_by_lua_block {
+ ngx.say(ngx.var.arg_lang)
+ }
+ }
+--- request
+GET /foo?world
+--- response_body
+中文
+--- no_error_log
+[error]
+
+
+
+=== TEST 5: rewrite args (string arg with '语言=chinese')
+ngx.req.set_uri_args with string argument should be carefully encoded.
+For backward compatibility, we are allowed to pass such parameters.
+--- config
+ location /foo {
+ rewrite_by_lua_block {
+ ngx.req.set_uri_args("语言=chinese")
+ }
+ content_by_lua_block {
+ ngx.say(ngx.var.arg_语言)
+ }
+ }
+--- request
+GET /foo?world
+--- response_body
+chinese
+--- no_error_log
+[error]
+
+
+
+=== TEST 6: rewrite args (string arg with '语言=中文')
+ngx.req.set_uri_args with string argument should be carefully encoded.
+For backward compatibility, we are allowed to pass such parameters.
+--- config
+ location /foo {
+ rewrite_by_lua_block {
+ ngx.req.set_uri_args("语言=中文")
+ }
+ content_by_lua_block {
+ ngx.say(ngx.var.arg_语言)
+ }
+ }
+--- request
+GET /foo?world
+--- response_body
+中文
+--- no_error_log
+[error]