Welcome! Log In Create A New Profile

Advanced

[nginx] Tolerate '\0' in URI when mapping URI to path.

Previous Message Next Message
Forum List Message List New Topic Print View
ru@nginx.com
December 23, 2019 10:48AM
details: https://hg.nginx.org/nginx/rev/02a539522be4
branches:
changeset: 7605:02a539522be4
user: Ruslan Ermilov <ru@nginx.com>
date: Mon Dec 16 15:19:01 2019 +0300
description:
Tolerate '\0' in URI when mapping URI to path.

If a rewritten URI has the null character, only a part of URI was
copied to a memory buffer allocated for path. In some setups this
could be exploited to expose uninitialized memory via the Location
header.

diffstat:

src/http/ngx_http_core_module.c | 3 ++-
1 files changed, 2 insertions(+), 1 deletions(-)

diffs (13 lines):

diff -r 7aa20af4ac00 -r 02a539522be4 src/http/ngx_http_core_module.c
--- a/src/http/ngx_http_core_module.c Mon Dec 16 15:19:01 2019 +0300
+++ b/src/http/ngx_http_core_module.c Mon Dec 16 15:19:01 2019 +0300
@@ -1843,7 +1843,8 @@
}
}

- last = ngx_cpystrn(last, r->uri.data + alias, r->uri.len - alias + 1);
+ last = ngx_copy(last, r->uri.data + alias, r->uri.len - alias);
+ *last = '\0';

return last;
}
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel
Reply Quote
RSS
Subject Author Views Posted

[nginx] Tolerate '\0' in URI when mapping URI to path.

ru@nginx.com 583 December 23, 2019 10:48AM



Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 307
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready