diff options
| author | Ruslan Ermilov <ru@nginx.com> | 2019-12-16 15:19:01 +0300 |
|---|---|---|
| committer | Ruslan Ermilov <ru@nginx.com> | 2019-12-16 15:19:01 +0300 |
| commit | a5895eb502747f396d3901a948834cd87d5fb0c3 (patch) | |
| tree | 033ae5c9ff7fcfdd521e878b11e8c267ec127558 | |
| parent | af8ea176a743e97d767b3e1439d549b52dd0367a (diff) | |
| download | nginx-a5895eb502747f396d3901a948834cd87d5fb0c3.tar.gz | |
Tolerate '\0' in URI when mapping URI to path.
If a rewritten URI has the null character, only a part of URI was
copied to a memory buffer allocated for path. In some setups this
could be exploited to expose uninitialized memory via the Location
header.
| -rw-r--r-- | src/http/ngx_http_core_module.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/src/http/ngx_http_core_module.c b/src/http/ngx_http_core_module.c index aa03fd617..a603e09ce 100644 --- a/src/http/ngx_http_core_module.c +++ b/src/http/ngx_http_core_module.c @@ -1843,7 +1843,8 @@ ngx_http_map_uri_to_path(ngx_http_request_t *r, ngx_str_t *path, } } - last = ngx_cpystrn(last, r->uri.data + alias, r->uri.len - alias + 1); + last = ngx_copy(last, r->uri.data + alias, r->uri.len - alias); + *last = '\0'; return last; } |