Mercurial > hg > nginx-quic
diff src/http/ngx_http_parse.c @ 4534:fb322541c548 stable-1.0
Merge of r4530, r4531: null character fixes.
*) Fixed incorrect ngx_cpystrn() usage in ngx_http_*_process_header().
This resulted in a disclosure of previously freed memory if upstream
server returned specially crafted response, potentially exposing
sensitive information.
Reported by Matthew Daley.
*) Headers with null character are now rejected.
Headers with NUL character aren't allowed by HTTP standard and may cause
various security problems. They are now unconditionally rejected.
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Thu, 15 Mar 2012 11:41:43 +0000 |
parents | 4919fb357a5d |
children |
line wrap: on
line diff
--- a/src/http/ngx_http_parse.c +++ b/src/http/ngx_http_parse.c @@ -814,6 +814,10 @@ ngx_http_parse_header_line(ngx_http_requ break; } + if (ch == '\0') { + return NGX_HTTP_PARSE_INVALID_HEADER; + } + r->invalid_header = 1; break; @@ -876,6 +880,10 @@ ngx_http_parse_header_line(ngx_http_requ break; } + if (ch == '\0') { + return NGX_HTTP_PARSE_INVALID_HEADER; + } + r->invalid_header = 1; break; @@ -894,6 +902,8 @@ ngx_http_parse_header_line(ngx_http_requ r->header_start = p; r->header_end = p; goto done; + case '\0': + return NGX_HTTP_PARSE_INVALID_HEADER; default: r->header_start = p; state = sw_value; @@ -915,6 +925,8 @@ ngx_http_parse_header_line(ngx_http_requ case LF: r->header_end = p; goto done; + case '\0': + return NGX_HTTP_PARSE_INVALID_HEADER; } break; @@ -928,6 +940,8 @@ ngx_http_parse_header_line(ngx_http_requ break; case LF: goto done; + case '\0': + return NGX_HTTP_PARSE_INVALID_HEADER; default: state = sw_value; break;