changeset 336:85cf055f9552 NGINX_0_5_38

nginx 0.5.38 *) Security: a segmentation fault might occur in worker process while specially crafted request handling. Thanks to Chris Ries. *) Bugfix: a segmentation fault might occur in worker process, if error_log was set to info or debug level. Thanks to Sergey Bochenkov.
author Igor Sysoev <http://sysoev.ru>
date Mon, 14 Sep 2009 00:00:00 +0400
parents 90de406d5898
children 3682d4817e9f
files CHANGES CHANGES.ru src/core/nginx.h src/http/modules/perl/nginx.pm src/http/ngx_http_parse.c
diffstat 5 files changed, 42 insertions(+), 16 deletions(-) [+]
line wrap: on
line diff
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,15 @@
 
+Changes with nginx 0.5.38                                        14 Sep 2009
+
+    *) Security: a segmentation fault might occur in worker process while 
+       specially crafted request handling.
+       Thanks to Chris Ries.
+
+    *) Bugfix: a segmentation fault might occur in worker process, if 
+       error_log was set to info or debug level.
+       Thanks to Sergey Bochenkov.
+
+
 Changes with nginx 0.5.37                                        07 Jul 2008
 
     *) Bugfix: if sub_filter and SSI were used together, then responses 
@@ -532,8 +543,8 @@ Changes with nginx 0.5.12               
        amd64, sparc, and ppc; the bug had appeared in 0.5.8.
 
     *) Bugfix: a segmentation fault might occur in worker process if the 
-       temporarily files were used while working with FastCGI server; the 
-       bug had appeared in 0.5.8.
+       temporary files were used while working with FastCGI server; the bug 
+       had appeared in 0.5.8.
 
     *) Bugfix: a segmentation fault might occur in worker process if the 
        $fastcgi_script_name variable was logged.
@@ -1075,7 +1086,7 @@ Changes with nginx 0.3.55               
     *) Bugfix: if the request contained "//" or "/./" and escaped symbols 
        after them, then the proxied request was sent unescaped.
 
-    *) Bugfix: the $r->headers_in("Cookie") of the ngx_http_perl_module now 
+    *) Bugfix: the $r->header_in("Cookie") of the ngx_http_perl_module now 
        returns all "Cookie" header lines.
 
     *) Bugfix: a segmentation fault occurred if 
@@ -1436,8 +1447,8 @@ Changes with nginx 0.3.31               
        in 0.3.18.
 
     *) Bugfix: if the HTTPS protocol was used in the "proxy_pass" directive 
-       and the request body was in temporarily file then the request was 
-       not transferred.
+       and the request body was in temporary file then the request was not 
+       transferred.
 
     *) Bugfix: perl 5.8.8 compatibility.
 
@@ -2589,8 +2600,8 @@ Changes with nginx 0.1.18               
     *) Bugfix: the proxy_set_x_var and fastcgi_set_var directives were not 
        inherited.
 
-    *) Bugfix: in the redirect rewrite directive the arguments were 
-       concatenated with URI by the "&" rather than the "?".
+    *) Bugfix: in a redirect rewrite directive arguments were concatenated 
+       with URI by an "&" rather than a "?".
 
     *) Bugfix: the lines without trailing ";" in the file being included by 
        the ngx_http_geo_module were silently ignored.
--- a/CHANGES.ru
+++ b/CHANGES.ru
@@ -1,4 +1,15 @@
 
+Изменения в nginx 0.5.38                                          14.09.2009
+
+    *) Безопасность: при обработке специально созданного запроса в рабочем 
+       процессе мог произойти segmentation fault.
+       Спасибо Chris Ries.
+
+    *) Исправление: при использовании error_log на уровне info или debug в 
+       рабочем процессе мог произойти segmentation fault.
+       Спасибо Сергею Боченкову.
+
+
 Изменения в nginx 0.5.37                                          07.07.2008
 
     *) Исправление: при совместном использовании sub_filter и SSI ответы 
@@ -1097,7 +1108,7 @@
        закодированные символы в виде "%XX", то проксируемый запрос 
        передавался незакодированным.
 
-    *) Исправление: метод $r->headers_in("Cookie") модуля 
+    *) Исправление: метод $r->header_in("Cookie") модуля 
        ngx_http_perl_module теперь возвращает все строки "Cookie" в 
        заголовке запроса.
 
--- a/src/core/nginx.h
+++ b/src/core/nginx.h
@@ -8,7 +8,7 @@
 #define _NGINX_H_INCLUDED_
 
 
-#define NGINX_VERSION      "0.5.37"
+#define NGINX_VERSION      "0.5.38"
 #define NGINX_VER          "nginx/" NGINX_VERSION
 
 #define NGINX_VAR          "NGINX"
--- a/src/http/modules/perl/nginx.pm
+++ b/src/http/modules/perl/nginx.pm
@@ -47,7 +47,7 @@ our @EXPORT = qw(
     HTTP_INSUFFICIENT_STORAGE
 );
 
-our $VERSION = '0.5.37';
+our $VERSION = '0.5.38';
 
 require XSLoader;
 XSLoader::load('nginx', $VERSION);
--- a/src/http/ngx_http_parse.c
+++ b/src/http/ngx_http_parse.c
@@ -738,6 +738,7 @@ ngx_http_parse_header_line(ngx_http_requ
 
         /* first char */
         case sw_start:
+            r->header_name_start = p;
             r->invalid_header = 0;
 
             switch (ch) {
@@ -750,7 +751,6 @@ ngx_http_parse_header_line(ngx_http_requ
                 goto header_done;
             default:
                 state = sw_name;
-                r->header_name_start = p;
 
                 c = lowcase[ch];
 
@@ -1123,11 +1123,15 @@ ngx_http_parse_complex_uri(ngx_http_requ
 #endif
             case '/':
                 state = sw_slash;
-                u -= 4;
-                if (u < r->uri.data) {
-                    return NGX_HTTP_PARSE_INVALID_REQUEST;
-                }
-                while (*(u - 1) != '/') {
+                u -= 5;
+                for ( ;; ) {
+                    if (u < r->uri.data) {
+                        return NGX_HTTP_PARSE_INVALID_REQUEST;
+                    }
+                    if (*u == '/') {
+                        u++;
+                        break;
+                    }
                     u--;
                 }
                 break;