details: http://hg.nginx.org/nginx/rev/48c13a0824c5
branches:
changeset: 6263:48c13a0824c5
user: Maxim Dounin <mdounin@mdounin.ru>
date: Mon Oct 19 21:28:17 2015 +0300
description:
Fixed variables prefix comparison.

Variable names are not null-terminated, so using ngx_strncmp() without
extra length checks is wrong.

Reported by Markus Linnala,
http://mailman.nginx.org/pipermail/nginx-devel/2015-August/007211.html.

diffstat:

src/http/ngx_http_variables.c | 38 ++++++++++++++++++++++++++------------
1 files changed, 26 insertions(+), 12 deletions(-)

diffs (122 lines):

diff --git a/src/http/ngx_http_variables.c b/src/http/ngx_http_variables.c
--- a/src/http/ngx_http_variables.c
+++ b/src/http/ngx_http_variables.c
@@ -575,7 +575,7 @@ ngx_http_get_variable(ngx_http_request_t
return NULL;
}

- if (ngx_strncmp(name->data, "http_", 5) == 0) {
+ if (name->len >= 5 && ngx_strncmp(name->data, "http_", 5) == 0) {

if (ngx_http_variable_unknown_header_in(r, vv, (uintptr_t) name)
== NGX_OK)
@@ -586,7 +586,7 @@ ngx_http_get_variable(ngx_http_request_t
return NULL;
}

- if (ngx_strncmp(name->data, "sent_http_", 10) == 0) {
+ if (name->len >= 10 && ngx_strncmp(name->data, "sent_http_", 10) == 0) {

if (ngx_http_variable_unknown_header_out(r, vv, (uintptr_t) name)
== NGX_OK)
@@ -597,7 +597,7 @@ ngx_http_get_variable(ngx_http_request_t
return NULL;
}

- if (ngx_strncmp(name->data, "upstream_http_", 14) == 0) {
+ if (name->len >= 14 && ngx_strncmp(name->data, "upstream_http_", 14) == 0) {

if (ngx_http_upstream_header_variable(r, vv, (uintptr_t) name)
== NGX_OK)
@@ -608,7 +608,7 @@ ngx_http_get_variable(ngx_http_request_t
return NULL;
}

- if (ngx_strncmp(name->data, "cookie_", 7) == 0) {
+ if (name->len >= 7 && ngx_strncmp(name->data, "cookie_", 7) == 0) {

if (ngx_http_variable_cookie(r, vv, (uintptr_t) name) == NGX_OK) {
return vv;
@@ -617,7 +617,9 @@ ngx_http_get_variable(ngx_http_request_t
return NULL;
}

- if (ngx_strncmp(name->data, "upstream_cookie_", 16) == 0) {
+ if (name->len >= 16
+ && ngx_strncmp(name->data, "upstream_cookie_", 16) == 0)
+ {

if (ngx_http_upstream_cookie_variable(r, vv, (uintptr_t) name)
== NGX_OK)
@@ -628,7 +630,7 @@ ngx_http_get_variable(ngx_http_request_t
return NULL;
}

- if (ngx_strncmp(name->data, "arg_", 4) == 0) {
+ if (name->len >= 4 && ngx_strncmp(name->data, "arg_", 4) == 0) {

if (ngx_http_variable_argument(r, vv, (uintptr_t) name) == NGX_OK) {
return vv;
@@ -2535,21 +2537,27 @@ ngx_http_variables_init_vars(ngx_conf_t
}
}

- if (ngx_strncmp(v[i].name.data, "http_", 5) == 0) {
+ if (v[i].name.len >= 5
+ && ngx_strncmp(v[i].name.data, "http_", 5) == 0)
+ {
v[i].get_handler = ngx_http_variable_unknown_header_in;
v[i].data = (uintptr_t) &v[i].name;

continue;
}

- if (ngx_strncmp(v[i].name.data, "sent_http_", 10) == 0) {
+ if (v[i].name.len >= 10
+ && ngx_strncmp(v[i].name.data, "sent_http_", 10) == 0)
+ {
v[i].get_handler = ngx_http_variable_unknown_header_out;
v[i].data = (uintptr_t) &v[i].name;

continue;
}

- if (ngx_strncmp(v[i].name.data, "upstream_http_", 14) == 0) {
+ if (v[i].name.len >= 14
+ && ngx_strncmp(v[i].name.data, "upstream_http_", 14) == 0)
+ {
v[i].get_handler = ngx_http_upstream_header_variable;
v[i].data = (uintptr_t) &v[i].name;
v[i].flags = NGX_HTTP_VAR_NOCACHEABLE;
@@ -2557,14 +2565,18 @@ ngx_http_variables_init_vars(ngx_conf_t
continue;
}

- if (ngx_strncmp(v[i].name.data, "cookie_", 7) == 0) {
+ if (v[i].name.len >= 7
+ && ngx_strncmp(v[i].name.data, "cookie_", 7) == 0)
+ {
v[i].get_handler = ngx_http_variable_cookie;
v[i].data = (uintptr_t) &v[i].name;

continue;
}

- if (ngx_strncmp(v[i].name.data, "upstream_cookie_", 16) == 0) {
+ if (v[i].name.len >= 16
+ && ngx_strncmp(v[i].name.data, "upstream_cookie_", 16) == 0)
+ {
v[i].get_handler = ngx_http_upstream_cookie_variable;
v[i].data = (uintptr_t) &v[i].name;
v[i].flags = NGX_HTTP_VAR_NOCACHEABLE;
@@ -2572,7 +2584,9 @@ ngx_http_variables_init_vars(ngx_conf_t
continue;
}

- if (ngx_strncmp(v[i].name.data, "arg_", 4) == 0) {
+ if (v[i].name.len >= 4
+ && ngx_strncmp(v[i].name.data, "arg_", 4) == 0)
+ {
v[i].get_handler = ngx_http_variable_argument;
v[i].data = (uintptr_t) &v[i].name;
v[i].flags = NGX_HTTP_VAR_NOCACHEABLE;

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel