Changeset 4534:fb322541c548 in nginx


Ignore:
Timestamp:
03/15/12 11:41:43 (8 years ago)
Author:
Maxim Dounin <mdounin@…>
Branch:
stable-1.0
Phase:
public
Convert:
svn:c3fe7df1-7212-e011-8a91-001109144009/branches/stable-1.0@4535
Message:

Merge of r4530, r4531: null character fixes.

*) Fixed incorrect ngx_cpystrn() usage in ngx_http_*_process_header().

This resulted in a disclosure of previously freed memory if upstream
server returned specially crafted response, potentially exposing
sensitive information.

Reported by Matthew Daley.

*) Headers with null character are now rejected.

Headers with NUL character aren't allowed by HTTP standard and may cause
various security problems. They are now unconditionally rejected.

Location:
src/http
Files:
5 edited

Legend:

Unmodified
Added
Removed
  • src/http/modules/ngx_http_fastcgi_module.c

    r4450 r4534  
    14471447                                     + h->value.len + 1;
    14481448
    1449                     ngx_cpystrn(h->key.data, r->header_name_start,
    1450                                 h->key.len + 1);
    1451                     ngx_cpystrn(h->value.data, r->header_start,
    1452                                 h->value.len + 1);
     1449                    ngx_memcpy(h->key.data, r->header_name_start, h->key.len);
     1450                    h->key.data[h->key.len] = '\0';
     1451                    ngx_memcpy(h->value.data, r->header_start, h->value.len);
     1452                    h->value.data[h->value.len] = '\0';
    14531453                }
    14541454
  • src/http/modules/ngx_http_proxy_module.c

    r4517 r4534  
    12791279            h->lowcase_key = h->key.data + h->key.len + 1 + h->value.len + 1;
    12801280
    1281             ngx_cpystrn(h->key.data, r->header_name_start, h->key.len + 1);
    1282             ngx_cpystrn(h->value.data, r->header_start, h->value.len + 1);
     1281            ngx_memcpy(h->key.data, r->header_name_start, h->key.len);
     1282            h->key.data[h->key.len] = '\0';
     1283            ngx_memcpy(h->value.data, r->header_start, h->value.len);
     1284            h->value.data[h->value.len] = '\0';
    12831285
    12841286            if (h->key.len == r->lowcase_index) {
  • src/http/modules/ngx_http_scgi_module.c

    r4450 r4534  
    895895            h->lowcase_key = h->key.data + h->key.len + 1 + h->value.len + 1;
    896896
    897             ngx_cpystrn(h->key.data, r->header_name_start, h->key.len + 1);
    898             ngx_cpystrn(h->value.data, r->header_start, h->value.len + 1);
     897            ngx_memcpy(h->key.data, r->header_name_start, h->key.len);
     898            h->key.data[h->key.len] = '\0';
     899            ngx_memcpy(h->value.data, r->header_start, h->value.len);
     900            h->value.data[h->value.len] = '\0';
    899901
    900902            if (h->key.len == r->lowcase_index) {
  • src/http/modules/ngx_http_uwsgi_module.c

    r4450 r4534  
    948948            h->lowcase_key = h->key.data + h->key.len + 1 + h->value.len + 1;
    949949
    950             ngx_cpystrn(h->key.data, r->header_name_start, h->key.len + 1);
    951             ngx_cpystrn(h->value.data, r->header_start, h->value.len + 1);
     950            ngx_memcpy(h->key.data, r->header_name_start, h->key.len);
     951            h->key.data[h->key.len] = '\0';
     952            ngx_memcpy(h->value.data, r->header_start, h->value.len);
     953            h->value.data[h->value.len] = '\0';
    952954
    953955            if (h->key.len == r->lowcase_index) {
  • src/http/ngx_http_parse.c

    r4450 r4534  
    815815                }
    816816
     817                if (ch == '\0') {
     818                    return NGX_HTTP_PARSE_INVALID_HEADER;
     819                }
     820
    817821                r->invalid_header = 1;
    818822
     
    877881            }
    878882
     883            if (ch == '\0') {
     884                return NGX_HTTP_PARSE_INVALID_HEADER;
     885            }
     886
    879887            r->invalid_header = 1;
    880888
     
    895903                r->header_end = p;
    896904                goto done;
     905            case '\0':
     906                return NGX_HTTP_PARSE_INVALID_HEADER;
    897907            default:
    898908                r->header_start = p;
     
    916926                r->header_end = p;
    917927                goto done;
     928            case '\0':
     929                return NGX_HTTP_PARSE_INVALID_HEADER;
    918930            }
    919931            break;
     
    929941            case LF:
    930942                goto done;
     943            case '\0':
     944                return NGX_HTTP_PARSE_INVALID_HEADER;
    931945            default:
    932946                state = sw_value;
Note: See TracChangeset for help on using the changeset viewer.