Is nginx vulnerable to the Hash Table Vulnerability (n.runs AG)?

Sergey A. Osokin osa at FreeBSD.org.ru
Sun Jan 1 18:38:09 UTC 2012


On Sun, Jan 01, 2012 at 05:31:46PM +0300, Nginx User wrote:
> On 1 January 2012 17:20, agentzh <agentzh at gmail.com> wrote:
> > On Sun, Jan 1, 2012 at 1:58 PM, Justin Hart <onyxraven at gmail.com> wrote:
> >> Thank you for the confirmation - I read through the parts of code in
> >> question but wanted to get a second opinion.
> >>
> >> How about the lua and/or the perl modules?  It looks as if they are
> >> using the nginx functions?
> >
> > The current released versions of ngx_lua does have this vulnerability
> > in its ngx.req.get_uri_args() and ngx.req.get_post_args() functions.
> > I've already worked out a patch for these two functions in ngx_lua's
> > git max-args branch here:
> >
> >    https://github.com/chaoslawful/lua-nginx-module/commit/75876
> >
> > With this patch, both of these functions will only parse 100 query
> > args at most. And one can specify a custom maximum number of args
> > parsed with an optional function argument (default to 100) and
> > enforcing unlimited parsing by specifying a zero number.
> >
> > This patch (as well as this branch) will be merged into the master
> > branch in 3 Jan.
> 
> It would probably be a good idea at that point, to finally make a
> release of v0.3.1 of the ngx_lua module as with about 45 "Release
> Candidates", it must already hold some record :)

+1.

-- 
Sergey A. Osokin
osa at FreeBSD.ORG.ru
osa at FreeBSD.ORG



More information about the nginx mailing list