nbs-system / naxsi

NAXSI is an open-source, high performance, low rules maintenance WAF for NGINX
GNU General Public License v3.0
4.8k stars 606 forks source link

mainRule bad utf8 check error #613

Closed renzhengxiao closed 2 years ago

renzhengxiao commented 2 years ago

eg: {"BANK_NAME":"建设银行","NAME":"山西测试有限责任公司"} this string is valid,but block with 403, view code naxsi_utils.c 133 line

  if ((s[1] & 0xc0) != 0x80 || (s[2] & 0xc0) != 0x80 ||
      (s[0] == 0xe0 && (s[1] & 0xe0) == 0x80) ||               /* overlong? */
      (s[0] == 0xed && (s[1] & 0xe0) == 0xa0) ||               /* surrogate? */
      (s[0] == 0xef && s[1] == 0xbf && (s[2] & 0xfe) == 0xbe)) /* U+FFFE or U+FFFF? */
    return s;
  else
    s += 3;     // **_should add offset += 3;_** 
} else if ((s[0] & 0xf8) == 0xf0) {
  if (offset + 3 >= str->len) {
    // not enough bytes
    return s;
  }
  /* 11110XXX 10XXxxxx 10xxxxxx 10xxxxxx */
  if ((s[1] & 0xc0) != 0x80 || (s[2] & 0xc0) != 0x80 || (s[3] & 0xc0) != 0x80 ||
      (s[0] == 0xf0 && (s[1] & 0xf0) == 0x80) ||      /* overlong? */
      (s[0] == 0xf4 && s[1] > 0x8f) || s[0] > 0xf4) { /* > U+10FFFF? */
    return s;
  } else {
    s += 4;   // **_should add offset += 4;_** 
  }
} else {
  return s;
}

shoud be

wargio commented 2 years ago

Fixed, can you verify it? please also do not use this repo, but instead use mine directly. https://github.com/wargio/naxsi

renzhengxiao commented 2 years ago

Fixed, can you verify it? please also do not use this repo, but instead use mine directly. https://github.com/wargio/naxsi

i think your code is right, i fixed the problem by the same code

wargio commented 2 years ago

perfect.