Mercurial > hg > nginx
comparison src/http/modules/ngx_http_ssi_filter_module.c @ 4528:00ccad19c53d
Fixed ssi and perl interaction.
Embedded perl module assumes there is a space for terminating NUL character,
make sure to provide it in all situations by allocating one extra byte for
value buffer. Default ssi_value_length is reduced accordingly to
preserve 256 byte allocations.
While here, fixed another one byte value buffer overrun possible in
ssi_quoted_symbol_state.
Reported by Matthew Daley.
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Thu, 15 Mar 2012 11:23:07 +0000 |
parents | d620f497c50f |
children | 1f0ecc900010 |
comparison
equal
deleted
inserted
replaced
4527:9c3a2fc3c460 | 4528:00ccad19c53d |
---|---|
1202 | 1202 |
1203 ctx->param->value.len = 0; | 1203 ctx->param->value.len = 0; |
1204 | 1204 |
1205 if (ctx->value_buf == NULL) { | 1205 if (ctx->value_buf == NULL) { |
1206 ctx->param->value.data = ngx_pnalloc(r->pool, | 1206 ctx->param->value.data = ngx_pnalloc(r->pool, |
1207 ctx->value_len); | 1207 ctx->value_len + 1); |
1208 if (ctx->param->value.data == NULL) { | 1208 if (ctx->param->value.data == NULL) { |
1209 return NGX_ERROR; | 1209 return NGX_ERROR; |
1210 } | 1210 } |
1211 | 1211 |
1212 } else { | 1212 } else { |
1372 | 1372 |
1373 break; | 1373 break; |
1374 | 1374 |
1375 case ssi_quoted_symbol_state: | 1375 case ssi_quoted_symbol_state: |
1376 state = ctx->saved_state; | 1376 state = ctx->saved_state; |
1377 | |
1378 if (ctx->param->value.len == ctx->value_len) { | |
1379 ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, | |
1380 "too long \"%V%c...\" value of \"%V\" " | |
1381 "parameter in \"%V\" SSI command", | |
1382 &ctx->param->value, ch, &ctx->param->key, | |
1383 &ctx->command); | |
1384 state = ssi_error_state; | |
1385 break; | |
1386 } | |
1377 | 1387 |
1378 ctx->param->value.data[ctx->param->value.len++] = ch; | 1388 ctx->param->value.data[ctx->param->value.len++] = ch; |
1379 | 1389 |
1380 break; | 1390 break; |
1381 | 1391 |
2884 ngx_conf_merge_value(conf->silent_errors, prev->silent_errors, 0); | 2894 ngx_conf_merge_value(conf->silent_errors, prev->silent_errors, 0); |
2885 ngx_conf_merge_value(conf->ignore_recycled_buffers, | 2895 ngx_conf_merge_value(conf->ignore_recycled_buffers, |
2886 prev->ignore_recycled_buffers, 0); | 2896 prev->ignore_recycled_buffers, 0); |
2887 | 2897 |
2888 ngx_conf_merge_size_value(conf->min_file_chunk, prev->min_file_chunk, 1024); | 2898 ngx_conf_merge_size_value(conf->min_file_chunk, prev->min_file_chunk, 1024); |
2889 ngx_conf_merge_size_value(conf->value_len, prev->value_len, 256); | 2899 ngx_conf_merge_size_value(conf->value_len, prev->value_len, 255); |
2890 | 2900 |
2891 if (ngx_http_merge_types(cf, &conf->types_keys, &conf->types, | 2901 if (ngx_http_merge_types(cf, &conf->types_keys, &conf->types, |
2892 &prev->types_keys, &prev->types, | 2902 &prev->types_keys, &prev->types, |
2893 ngx_http_html_default_types) | 2903 ngx_http_html_default_types) |
2894 != NGX_OK) | 2904 != NGX_OK) |