Welcome! Log In Create A New Profile

Advanced

[nginx] Upstream: disallow empty path in proxy_store and friends.

Anonymous User
November 25, 2024 08:38AM
details: https://github.com/nginx/nginx/commit/a448dd52ee27ec3a550cb7d03fd27153f4799f0c
branches: master
commit: a448dd52ee27ec3a550cb7d03fd27153f4799f0c
user: Sergey Kandaurov <pluknet@nginx.com>
date: Thu, 21 Nov 2024 12:35:50 +0400
description:
Upstream: disallow empty path in proxy_store and friends.

Renaming a temporary file to an empty path ("") returns NGX_ENOPATH
with a subsequent ngx_create_full_path() to create the full path.
This function skips initial bytes as part of path separator lookup,
which causes out of bounds access on short strings.

The fix is to avoid renaming a temporary file to an obviously invalid
path, as well as explicitly forbid such syntax for literal values.

Although Coverity reports about potential type underflow, it is not
actually possible because the terminating '\0' is always included.

Notably, the run-time check is sufficient enough for Win32 as well.
Other short invalid values result either in NGX_ENOENT or NGX_EEXIST
and "MoveFile() .. failed" critical log messages, which involves a
separate error handling.

Prodded by Coverity (CID 1605485).

---
src/http/modules/ngx_http_fastcgi_module.c | 5 +++++
src/http/modules/ngx_http_proxy_module.c | 5 +++++
src/http/modules/ngx_http_scgi_module.c | 5 +++++
src/http/modules/ngx_http_uwsgi_module.c | 5 +++++
src/http/ngx_http_upstream.c | 4 ++++
5 files changed, 24 insertions(+)

diff --git a/src/http/modules/ngx_http_fastcgi_module.c b/src/http/modules/ngx_http_fastcgi_module.c
index 743fe0c0c..a41b496dc 100644
--- a/src/http/modules/ngx_http_fastcgi_module.c
+++ b/src/http/modules/ngx_http_fastcgi_module.c
@@ -3781,6 +3781,11 @@ ngx_http_fastcgi_store(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
return NGX_CONF_OK;
}

+ if (value[1].len == 0) {
+ ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, "empty path");
+ return NGX_CONF_ERROR;
+ }
+
#if (NGX_HTTP_CACHE)
if (flcf->upstream.cache > 0) {
return "is incompatible with \"fastcgi_cache\"";
diff --git a/src/http/modules/ngx_http_proxy_module.c b/src/http/modules/ngx_http_proxy_module.c
index 25fa92bae..855ef523d 100644
--- a/src/http/modules/ngx_http_proxy_module.c
+++ b/src/http/modules/ngx_http_proxy_module.c
@@ -4943,6 +4943,11 @@ ngx_http_proxy_store(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
return NGX_CONF_OK;
}

+ if (value[1].len == 0) {
+ ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, "empty path");
+ return NGX_CONF_ERROR;
+ }
+
#if (NGX_HTTP_CACHE)
if (plcf->upstream.cache > 0) {
return "is incompatible with \"proxy_cache\"";
diff --git a/src/http/modules/ngx_http_scgi_module.c b/src/http/modules/ngx_http_scgi_module.c
index 671cd2cb7..9023a36e4 100644
--- a/src/http/modules/ngx_http_scgi_module.c
+++ b/src/http/modules/ngx_http_scgi_module.c
@@ -1995,6 +1995,11 @@ ngx_http_scgi_store(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
return NGX_CONF_OK;
}

+ if (value[1].len == 0) {
+ ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, "empty path");
+ return NGX_CONF_ERROR;
+ }
+
#if (NGX_HTTP_CACHE)
if (scf->upstream.cache > 0) {
return "is incompatible with \"scgi_cache\"";
diff --git a/src/http/modules/ngx_http_uwsgi_module.c b/src/http/modules/ngx_http_uwsgi_module.c
index f42ae706a..7988cc589 100644
--- a/src/http/modules/ngx_http_uwsgi_module.c
+++ b/src/http/modules/ngx_http_uwsgi_module.c
@@ -2322,6 +2322,11 @@ ngx_http_uwsgi_store(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
return NGX_CONF_OK;
}

+ if (value[1].len == 0) {
+ ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, "empty path");
+ return NGX_CONF_ERROR;
+ }
+
#if (NGX_HTTP_CACHE)

if (uwcf->upstream.cache > 0) {
diff --git a/src/http/ngx_http_upstream.c b/src/http/ngx_http_upstream.c
index 82a230024..d95662c56 100644
--- a/src/http/ngx_http_upstream.c
+++ b/src/http/ngx_http_upstream.c
@@ -4357,6 +4357,10 @@ ngx_http_upstream_store(ngx_http_request_t *r, ngx_http_upstream_t *u)
"upstream stores \"%s\" to \"%s\"",
tf->file.name.data, path.data);

+ if (path.len == 0) {
+ return;
+ }
+
(void) ngx_ext_rename_file(&tf->file.name, &path, &ext);

u->store = 0;
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
https://mailman.nginx.org/mailman/listinfo/nginx-devel
Subject Author Views Posted

[nginx] Upstream: disallow empty path in proxy_store and friends.

Anonymous User 116 November 25, 2024 08:38AM



Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 200
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 500 on July 15, 2024
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready