[PATCH] perl module: fix SSI parameter termination bug
Alexandr Gomoliako
zzz at zzz.org.ua
Tue Mar 13 14:16:30 UTC 2012
> The null-terminated string in handler is required for
>
> sv = newSVpvn((char *) handler->data, handler->len);
>
> below though, and your patch will break it.
This is incorrect, newSVpvn creates a new SV and copies header->len
bytes from header->data into it. It never does strlen() on this data
and always allocates extra byte itself. So, something like this is
fine:
newSVpvn("\0\0\0", 3);
> Hmm, I was going by this info in the perlapi documentation, which made
> me think that newSVpvn didn't need it:
> "Notice that you can choose to specify the length of the string to be
> assigned by using sv_setpvn , newSVpvn , or newSVpv , or you may allow
> Perl to calculate the length by using sv_setpv or by specifying 0 as
> the second argument to newSVpv . Be warned, though, that Perl will
> determine the string's length by using strlen , which depends on the
> string terminating with a NUL character."
> However I see below that it says:
> "All SVs that contain strings should be terminated with a NUL
> character. If it is not NUL-terminated there is a risk of core dumps
> and corruptions from code which passes the string to C functions or
> system calls which expect a NUL-terminated string. Perl's own
> functions typically add a trailing NUL for this reason."
Notice how it says, that "Perl's own functions typically add a
trailing NUL for this reason.", this includes newSVpvn.
>> Correct solution would be to reserve space for NUL character in
>> ssi module instead. Quick and dirty patch which should work:
>> --- a/src/http/modules/ngx_http_ssi_filter_module.c
>> +++ b/src/http/modules/ngx_http_ssi_filter_module.c
>> @@ -1204,7 +1204,7 @@ ngx_http_ssi_parse(ngx_http_request_t *r
>>
>> if (ctx->value_buf == NULL) {
>> ctx->param->value.data = ngx_pnalloc(r->pool,
>> - ctx->value_len);
>> + ctx->value_len +
>> 1);
>> if (ctx->param->value.data == NULL) {
>> return NGX_ERROR;
>> }
>>
>
> I wasn't sure if changing the SSI allocation code was appropriate in
> this case, but since newSVpvn really does need the NULL termination,
> this is indeed a better idea.
No, it's not. The only solution is to fix it in ssi module, as
proposed by Maxim.
More information about the nginx-devel
mailing list