Hello!

On Wed, Jun 01, 2011 at 12:24:10AM +0800, Simon Liu wrote:

> this bug will give rise to nginx(version >= 0.8.40) core dump, and it was
> caused by this feature:
>
> *) Feature: a "fastcgi_param" directive with value starting with
> "HTTP_" overrides a client request header line.
>
>
> When we difine fastcgi_param directive with value starting with "HTTP_",
> nginx malloc a array(size is header_params that is number of value starting
> with "HTTP_"), and if request header contain this value(HTTTP_xxx), nginx
> will add this header pointer to array, but if header is duplicated, this
> array will cross-border.
>
> e.g. if the config contain this directive (fastcgi_param HTTP_HOST
> $http_host), and then request header send multi-duplicated header(Host),
> nginx will core dump.

Yes, thank you, it's known problem.

[...]

> +static ngx_inline ngx_int_t
> +ngx_http_fastcgi_ignored_header(ngx_uint_t hash, ngx_uint_t header_params,
> ngx_uint_t *ignored)
> +{
> + ngx_uint_t n;
> +
> + for (n = 0; n < header_params; n++) {
> + if (hash == ignored[n]) {
> + return NGX_OK;

You can't rely on hash here, as it's expected to have collisions.

[...]

> @@ -2374,7 +2363,22 @@
>
> hk->key.len = src[i].key.len - 5;
> hk->key.data = src[i].key.data + 5;
> - hk->key_hash = ngx_hash_key_lc(hk->key.data, hk->key.len);
> +
> + params_hash = 0;
> + for (n = 5; n < src[i].key.len; n++) {
> + ch = src[i].key.data[n];
> +
> + if (ch >= 'A' && ch <= 'Z') {
> + ch |= 0x20;
> +
> + } else if (ch == '_') {
> + ch = '-';
> + }

This makes impossible to overwrite headers with real underscores
(if underscores_in_headers are allowed).

Maxim Dounin

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://nginx.org/mailman/listinfo/nginx-devel