nginx-vendor-current: src/http/modules/ngx_http_ssi_filter

comparison src/http/modules/ngx_http_ssi_filter_module.c @ 666:bf8b55a5ac89 NGINX_1_1_17

nginx 1.1.17 *) Security: content of previously freed memory might be sent to a client if backend returned specially crafted response. Thanks to Matthew Daley. *) Bugfix: in the embedded perl module if used from SSI. Thanks to Matthew Daley. *) Bugfix: in the ngx_http_uwsgi_module.

author	Igor Sysoev <http://sysoev.ru>
date	Thu, 15 Mar 2012 00:00:00 +0400
parents	d0f7a625f27c
children	ad45b044f1e5

comparison

equal deleted inserted replaced

-:a8821023989f
+:bf8b55a5ac89
 ctx->param->value.len = 0;
 if (ctx->value_buf == NULL) {
 ctx->param->value.data = ngx_pnalloc(r->pool,
-ctx->value_len);
+ctx->value_len + 1);
 if (ctx->param->value.data == NULL) {
 return NGX_ERROR;
 }
 } else {
 break;
 case ssi_quoted_symbol_state:
 state = ctx->saved_state;
+if (ctx->param->value.len == ctx->value_len) {
+ngx_log_error(NGX_LOG_ERR, r->connection->log, 0,
+"too long \"%V%c...\" value of \"%V\" "
+"parameter in \"%V\" SSI command",
+&ctx->param->value, ch, &ctx->param->key,
+&ctx->command);
+state = ssi_error_state;
+break;
+}
 ctx->param->value.data[ctx->param->value.len++] = ch;
 break;
 ngx_conf_merge_value(conf->silent_errors, prev->silent_errors, 0);
 ngx_conf_merge_value(conf->ignore_recycled_buffers,
 prev->ignore_recycled_buffers, 0);
 ngx_conf_merge_size_value(conf->min_file_chunk, prev->min_file_chunk, 1024);
-ngx_conf_merge_size_value(conf->value_len, prev->value_len, 256);
+ngx_conf_merge_size_value(conf->value_len, prev->value_len, 255);
 if (ngx_http_merge_types(cf, &conf->types_keys, &conf->types,
 &prev->types_keys, &prev->types,
 ngx_http_html_default_types)
 != NGX_OK)

Mercurial > hg > nginx-vendor-current

comparison src/http/modules/ngx_http_ssi_filter_module.c @ 666:bf8b55a5ac89 NGINX_1_1_17