Mercurial > hg > nginx-vendor-current
diff src/http/modules/ngx_http_ssi_filter_module.c @ 666:bf8b55a5ac89 NGINX_1_1_17
nginx 1.1.17
*) Security: content of previously freed memory might be sent to a
client if backend returned specially crafted response.
Thanks to Matthew Daley.
*) Bugfix: in the embedded perl module if used from SSI.
Thanks to Matthew Daley.
*) Bugfix: in the ngx_http_uwsgi_module.
| author | Igor Sysoev <http://sysoev.ru> |
|---|---|
| date | Thu, 15 Mar 2012 00:00:00 +0400 |
| parents | d0f7a625f27c |
| children | ad45b044f1e5 |
line wrap: on
line diff
--- a/src/http/modules/ngx_http_ssi_filter_module.c +++ b/src/http/modules/ngx_http_ssi_filter_module.c @@ -1204,7 +1204,7 @@ ngx_http_ssi_parse(ngx_http_request_t *r if (ctx->value_buf == NULL) { ctx->param->value.data = ngx_pnalloc(r->pool, - ctx->value_len); + ctx->value_len + 1); if (ctx->param->value.data == NULL) { return NGX_ERROR; } @@ -1375,6 +1375,16 @@ ngx_http_ssi_parse(ngx_http_request_t *r case ssi_quoted_symbol_state: state = ctx->saved_state; + if (ctx->param->value.len == ctx->value_len) { + ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, + "too long \"%V%c...\" value of \"%V\" " + "parameter in \"%V\" SSI command", + &ctx->param->value, ch, &ctx->param->key, + &ctx->command); + state = ssi_error_state; + break; + } + ctx->param->value.data[ctx->param->value.len++] = ch; break; @@ -2886,7 +2896,7 @@ ngx_http_ssi_merge_loc_conf(ngx_conf_t * prev->ignore_recycled_buffers, 0); ngx_conf_merge_size_value(conf->min_file_chunk, prev->min_file_chunk, 1024); - ngx_conf_merge_size_value(conf->value_len, prev->value_len, 256); + ngx_conf_merge_size_value(conf->value_len, prev->value_len, 255); if (ngx_http_merge_types(cf, &conf->types_keys, &conf->types, &prev->types_keys, &prev->types,