Thank you for the confirmation - I read through the parts of code in
question but wanted to get a second opinion.

How about the lua and/or the perl modules? It looks as if they are
using the nginx functions?

Sent from my iPhone

On Dec 31, 2011, at 10:54 PM, agentzh <agentzh@gmail.com> wrote:

> On Sun, Jan 1, 2012 at 2:37 AM, Justin Hart <onyxraven@gmail.com> wrote:
>> http://www.securityweek.com/hash-table-collision-attacks-could-trigger-ddos-massive-scale
>>
>> Without going through the way nginx parses an incoming request, I'm unsure
>> if nginx isn't vulnerable to this, because of the availability to grab the
>> value of a GET parameter
>> via http://wiki.nginx.org/HttpCoreModule#.24arg_PARAMETER. My hope is that
>> especially if an $arg_PARAMETER isn't used in the config, it is not
>> vulnerable because it wouldn't even attempt to parse the parameters, but I
>> can't be sure.
>>
>
> Well, the $arg_PARAMETER variable is not implemented with hash tables
> at all ;) It scans the URI query string at every invocation :)
>
> Regards,
> -agentzh
>
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx