Is nginx vulnerable to the Hash Table Vulnerability (n.runs AG)?

Nginx User nginx at
Sun Jan 1 14:31:46 UTC 2012

On 1 January 2012 17:20, agentzh <agentzh at> wrote:
> On Sun, Jan 1, 2012 at 1:58 PM, Justin Hart <onyxraven at> wrote:
>> Thank you for the confirmation - I read through the parts of code in
>> question but wanted to get a second opinion.
>> How about the lua and/or the perl modules?  It looks as if they are
>> using the nginx functions?
> The current released versions of ngx_lua does have this vulnerability
> in its ngx.req.get_uri_args() and ngx.req.get_post_args() functions.
> I've already worked out a patch for these two functions in ngx_lua's
> git max-args branch here:
> With this patch, both of these functions will only parse 100 query
> args at most. And one can specify a custom maximum number of args
> parsed with an optional function argument (default to 100) and
> enforcing unlimited parsing by specifying a zero number.
> This patch (as well as this branch) will be merged into the master
> branch in 3 Jan.

It would probably be a good idea at that point, to finally make a
release of v0.3.1 of the ngx_lua module as with about 45 "Release
Candidates", it must already hold some record :)

More information about the nginx mailing list