Is nginx vulnerable to the Hash Table Vulnerability (n.runs AG)?

agentzh agentzh at gmail.com
Wed Jan 4 11:48:35 UTC 2012


On Sun, Jan 1, 2012 at 10:20 PM, agentzh <agentzh at gmail.com> wrote:
> The current released versions of ngx_lua does have this vulnerability
> in its ngx.req.get_uri_args() and ngx.req.get_post_args() functions.
> I've already worked out a patch for these two functions in ngx_lua's
> git max-args branch here:
>
>    https://github.com/chaoslawful/lua-nginx-module/commit/75876
>
> With this patch, both of these functions will only parse 100 query
> args at most. And one can specify a custom maximum number of args
> parsed with an optional function argument (default to 100) and
> enforcing unlimited parsing by specifying a zero number.
>
> This patch (as well as this branch) will be merged into the master
> branch in 3 Jan.
>

I've also added similar protections to ngx.req.get_headers():

    http://wiki.nginx.org/HttpLuaModule#ngx.req.get_headers

All of these changes have been released as ngx_lua 0.3.1rc45:

   https://github.com/chaoslawful/lua-nginx-module/tags

and also included in the ngx_openresty bundle's devel version 1.0.10.39:

   http://openresty.org/#Download

Feedback welcome!

Best,
-agentzh



More information about the nginx mailing list