Mercurial > hg > nginx-quic
changeset 7605:02a539522be4
Tolerate '\0' in URI when mapping URI to path.
If a rewritten URI has the null character, only a part of URI was
copied to a memory buffer allocated for path. In some setups this
could be exploited to expose uninitialized memory via the Location
header.
author | Ruslan Ermilov <ru@nginx.com> |
---|---|
date | Mon, 16 Dec 2019 15:19:01 +0300 |
parents | 7aa20af4ac00 |
children | db8df9cd84c8 |
files | src/http/ngx_http_core_module.c |
diffstat | 1 files changed, 2 insertions(+), 1 deletions(-) [+] |
line wrap: on
line diff
--- a/src/http/ngx_http_core_module.c +++ b/src/http/ngx_http_core_module.c @@ -1843,7 +1843,8 @@ ngx_http_map_uri_to_path(ngx_http_reques } } - last = ngx_cpystrn(last, r->uri.data + alias, r->uri.len - alias + 1); + last = ngx_copy(last, r->uri.data + alias, r->uri.len - alias); + *last = '\0'; return last; }