Mercurial > hg > nginx-vendor-current
diff src/http/ngx_http_parse.c @ 666:bf8b55a5ac89 NGINX_1_1_17
nginx 1.1.17
*) Security: content of previously freed memory might be sent to a
client if backend returned specially crafted response.
Thanks to Matthew Daley.
*) Bugfix: in the embedded perl module if used from SSI.
Thanks to Matthew Daley.
*) Bugfix: in the ngx_http_uwsgi_module.
| author | Igor Sysoev <http://sysoev.ru> |
|---|---|
| date | Thu, 15 Mar 2012 00:00:00 +0400 |
| parents | d0f7a625f27c |
| children | 9fbf3ad94cbf |
line wrap: on
line diff
--- a/src/http/ngx_http_parse.c +++ b/src/http/ngx_http_parse.c @@ -874,6 +874,10 @@ ngx_http_parse_header_line(ngx_http_requ break; } + if (ch == '\0') { + return NGX_HTTP_PARSE_INVALID_HEADER; + } + r->invalid_header = 1; break; @@ -936,6 +940,10 @@ ngx_http_parse_header_line(ngx_http_requ break; } + if (ch == '\0') { + return NGX_HTTP_PARSE_INVALID_HEADER; + } + r->invalid_header = 1; break; @@ -954,6 +962,8 @@ ngx_http_parse_header_line(ngx_http_requ r->header_start = p; r->header_end = p; goto done; + case '\0': + return NGX_HTTP_PARSE_INVALID_HEADER; default: r->header_start = p; state = sw_value; @@ -975,6 +985,8 @@ ngx_http_parse_header_line(ngx_http_requ case LF: r->header_end = p; goto done; + case '\0': + return NGX_HTTP_PARSE_INVALID_HEADER; } break; @@ -988,6 +1000,8 @@ ngx_http_parse_header_line(ngx_http_requ break; case LF: goto done; + case '\0': + return NGX_HTTP_PARSE_INVALID_HEADER; default: state = sw_value; break;