Mercurial > hg > nginx-quic
comparison src/http/ngx_http_script.c @ 4617:972642646f06
Rewrite: fixed escaping and possible segfault (ticket #162).
The following code resulted in incorrect escaping of uri and possible
segfault:
location / {
rewrite ^(.*) $1?c=$1;
return 200 "$uri";
}
If there were arguments in a rewrite's replacement string, and length was
actually calculated (due to duplicate captures as in the example above,
or variables present), the is_args flag was set and incorrectly copied
after length calculation. This resulted in escaping applied to the uri part
of the replacement, resulting in incorrect escaping. Additionally, buffer
was allocated without escaping expected, thus this also resulted in buffer
overrun and possible segfault.
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Fri, 11 May 2012 13:19:22 +0000 |
parents | 13e09cf11d4e |
children | 4251e72b8bb4 |
comparison
equal
deleted
inserted
replaced
4616:b194fb640d3e | 4617:972642646f06 |
---|---|
1041 lcode = *(ngx_http_script_len_code_pt *) le.ip; | 1041 lcode = *(ngx_http_script_len_code_pt *) le.ip; |
1042 len += lcode(&le); | 1042 len += lcode(&le); |
1043 } | 1043 } |
1044 | 1044 |
1045 e->buf.len = len; | 1045 e->buf.len = len; |
1046 e->is_args = le.is_args; | |
1047 } | 1046 } |
1048 | 1047 |
1049 if (code->add_args && r->args.len) { | 1048 if (code->add_args && r->args.len) { |
1050 e->buf.len += r->args.len + 1; | 1049 e->buf.len += r->args.len + 1; |
1051 } | 1050 } |