[nginx] Tolerate '\0' in URI when mapping URI to path.
Ruslan Ermilov
ru at nginx.com
Mon Dec 23 15:45:49 UTC 2019
details: https://hg.nginx.org/nginx/rev/02a539522be4
branches:
changeset: 7605:02a539522be4
user: Ruslan Ermilov <ru at nginx.com>
date: Mon Dec 16 15:19:01 2019 +0300
description:
Tolerate '\0' in URI when mapping URI to path.
If a rewritten URI has the null character, only a part of URI was
copied to a memory buffer allocated for path. In some setups this
could be exploited to expose uninitialized memory via the Location
header.
diffstat:
src/http/ngx_http_core_module.c | 3 ++-
1 files changed, 2 insertions(+), 1 deletions(-)
diffs (13 lines):
diff -r 7aa20af4ac00 -r 02a539522be4 src/http/ngx_http_core_module.c
--- a/src/http/ngx_http_core_module.c Mon Dec 16 15:19:01 2019 +0300
+++ b/src/http/ngx_http_core_module.c Mon Dec 16 15:19:01 2019 +0300
@@ -1843,7 +1843,8 @@
}
}
- last = ngx_cpystrn(last, r->uri.data + alias, r->uri.len - alias + 1);
+ last = ngx_copy(last, r->uri.data + alias, r->uri.len - alias);
+ *last = '\0';
return last;
}
More information about the nginx-devel
mailing list