Sergey Kandaurov
September 03, 2019 10:30AM
details: https://hg.nginx.org/nginx/rev/52b5ee64fe11
branches:
changeset: 7562:52b5ee64fe11
user: Sergey Kandaurov <pluknet@nginx.com>
date: Tue Sep 03 17:26:56 2019 +0300
description:
Detect runaway chunks in ngx_http_parse_chunked().

As defined in HTTP/1.1, body chunks have the following ABNF:

chunk = chunk-size [ chunk-ext ] CRLF chunk-data CRLF

where chunk-data is a sequence of chunk-size octets.

With this change, chunk-data that doesn't end up with CRLF at chunk-size
offset will be treated as invalid, such as in the example provided below:

4
SEE-THIS-AND-
4
THAT
0

diffstat:

src/http/ngx_http_parse.c | 3 +++
1 files changed, 3 insertions(+), 0 deletions(-)

diffs (13 lines):

diff -r 9f1f9d6e056a -r 52b5ee64fe11 src/http/ngx_http_parse.c
--- a/src/http/ngx_http_parse.c Mon Aug 19 15:16:06 2019 +0300
+++ b/src/http/ngx_http_parse.c Tue Sep 03 17:26:56 2019 +0300
@@ -2268,6 +2268,9 @@ ngx_http_parse_chunked(ngx_http_request_
break;
case LF:
state = sw_chunk_start;
+ break;
+ default:
+ goto invalid;
}
break;

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel
Subject Author Views Posted

[nginx] Detect runaway chunks in ngx_http_parse_chunked().

Sergey Kandaurov 88 September 03, 2019 10:30AM



Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 70
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready