Mercurial > hg > nginx
comparison src/http/modules/ngx_http_ssi_filter_module.c @ 4528:00ccad19c53d
Fixed ssi and perl interaction.
Embedded perl module assumes there is a space for terminating NUL character,
make sure to provide it in all situations by allocating one extra byte for
value buffer. Default ssi_value_length is reduced accordingly to
preserve 256 byte allocations.
While here, fixed another one byte value buffer overrun possible in
ssi_quoted_symbol_state.
Reported by Matthew Daley.
| author | Maxim Dounin <mdounin@mdounin.ru> |
|---|---|
| date | Thu, 15 Mar 2012 11:23:07 +0000 |
| parents | d620f497c50f |
| children | 1f0ecc900010 |
comparison
equal
deleted
inserted
replaced
| 4527:9c3a2fc3c460 | 4528:00ccad19c53d |
|---|---|
| 1202 | 1202 |
| 1203 ctx->param->value.len = 0; | 1203 ctx->param->value.len = 0; |
| 1204 | 1204 |
| 1205 if (ctx->value_buf == NULL) { | 1205 if (ctx->value_buf == NULL) { |
| 1206 ctx->param->value.data = ngx_pnalloc(r->pool, | 1206 ctx->param->value.data = ngx_pnalloc(r->pool, |
| 1207 ctx->value_len); | 1207 ctx->value_len + 1); |
| 1208 if (ctx->param->value.data == NULL) { | 1208 if (ctx->param->value.data == NULL) { |
| 1209 return NGX_ERROR; | 1209 return NGX_ERROR; |
| 1210 } | 1210 } |
| 1211 | 1211 |
| 1212 } else { | 1212 } else { |
| 1372 | 1372 |
| 1373 break; | 1373 break; |
| 1374 | 1374 |
| 1375 case ssi_quoted_symbol_state: | 1375 case ssi_quoted_symbol_state: |
| 1376 state = ctx->saved_state; | 1376 state = ctx->saved_state; |
| 1377 | |
| 1378 if (ctx->param->value.len == ctx->value_len) { | |
| 1379 ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, | |
| 1380 "too long \"%V%c...\" value of \"%V\" " | |
| 1381 "parameter in \"%V\" SSI command", | |
| 1382 &ctx->param->value, ch, &ctx->param->key, | |
| 1383 &ctx->command); | |
| 1384 state = ssi_error_state; | |
| 1385 break; | |
| 1386 } | |
| 1377 | 1387 |
| 1378 ctx->param->value.data[ctx->param->value.len++] = ch; | 1388 ctx->param->value.data[ctx->param->value.len++] = ch; |
| 1379 | 1389 |
| 1380 break; | 1390 break; |
| 1381 | 1391 |
| 2884 ngx_conf_merge_value(conf->silent_errors, prev->silent_errors, 0); | 2894 ngx_conf_merge_value(conf->silent_errors, prev->silent_errors, 0); |
| 2885 ngx_conf_merge_value(conf->ignore_recycled_buffers, | 2895 ngx_conf_merge_value(conf->ignore_recycled_buffers, |
| 2886 prev->ignore_recycled_buffers, 0); | 2896 prev->ignore_recycled_buffers, 0); |
| 2887 | 2897 |
| 2888 ngx_conf_merge_size_value(conf->min_file_chunk, prev->min_file_chunk, 1024); | 2898 ngx_conf_merge_size_value(conf->min_file_chunk, prev->min_file_chunk, 1024); |
| 2889 ngx_conf_merge_size_value(conf->value_len, prev->value_len, 256); | 2899 ngx_conf_merge_size_value(conf->value_len, prev->value_len, 255); |
| 2890 | 2900 |
| 2891 if (ngx_http_merge_types(cf, &conf->types_keys, &conf->types, | 2901 if (ngx_http_merge_types(cf, &conf->types_keys, &conf->types, |
| 2892 &prev->types_keys, &prev->types, | 2902 &prev->types_keys, &prev->types, |
| 2893 ngx_http_html_default_types) | 2903 ngx_http_html_default_types) |
| 2894 != NGX_OK) | 2904 != NGX_OK) |