Mercurial > hg > nginx

comparison src/http/ngx_http_variables.c @ 6263:48c13a0824c5

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Fixed variables prefix comparison. Variable names are not null-terminated, so using ngx_strncmp() without extra length checks is wrong. Reported by Markus Linnala, http://mailman.nginx.org/pipermail/nginx-devel/2015-August/007211.html.
author Maxim Dounin <mdounin@mdounin.ru>
date Mon, 19 Oct 2015 21:28:17 +0300
parents a08fad30aeac
children 3ef7bb882ad4
comparison
equal deleted inserted replaced
6262:1063097b22b6 6263:48c13a0824c5
573 vv = ngx_palloc(r->pool, sizeof(ngx_http_variable_value_t)); 573 vv = ngx_palloc(r->pool, sizeof(ngx_http_variable_value_t));
574 if (vv == NULL) { 574 if (vv == NULL) {
575 return NULL; 575 return NULL;
576 } 576 }
577 577
578 if (ngx_strncmp(name->data, "http_", 5) == 0) { 578 if (name->len >= 5 && ngx_strncmp(name->data, "http_", 5) == 0) {
579 579
580 if (ngx_http_variable_unknown_header_in(r, vv, (uintptr_t) name) 580 if (ngx_http_variable_unknown_header_in(r, vv, (uintptr_t) name)
581 == NGX_OK) 581 == NGX_OK)
582 { 582 {
583 return vv; 583 return vv;
584 } 584 }
585 585
586 return NULL; 586 return NULL;
587 } 587 }
588 588
589 if (ngx_strncmp(name->data, "sent_http_", 10) == 0) { 589 if (name->len >= 10 && ngx_strncmp(name->data, "sent_http_", 10) == 0) {
590 590
591 if (ngx_http_variable_unknown_header_out(r, vv, (uintptr_t) name) 591 if (ngx_http_variable_unknown_header_out(r, vv, (uintptr_t) name)
592 == NGX_OK) 592 == NGX_OK)
593 { 593 {
594 return vv; 594 return vv;
595 } 595 }
596 596
597 return NULL; 597 return NULL;
598 } 598 }
599 599
600 if (ngx_strncmp(name->data, "upstream_http_", 14) == 0) { 600 if (name->len >= 14 && ngx_strncmp(name->data, "upstream_http_", 14) == 0) {
601 601
602 if (ngx_http_upstream_header_variable(r, vv, (uintptr_t) name) 602 if (ngx_http_upstream_header_variable(r, vv, (uintptr_t) name)
603 == NGX_OK) 603 == NGX_OK)
604 { 604 {
605 return vv; 605 return vv;
606 } 606 }
607 607
608 return NULL; 608 return NULL;
609 } 609 }
610 610
611 if (ngx_strncmp(name->data, "cookie_", 7) == 0) { 611 if (name->len >= 7 && ngx_strncmp(name->data, "cookie_", 7) == 0) {
612 612
613 if (ngx_http_variable_cookie(r, vv, (uintptr_t) name) == NGX_OK) { 613 if (ngx_http_variable_cookie(r, vv, (uintptr_t) name) == NGX_OK) {
614 return vv; 614 return vv;
615 } 615 }
616 616
617 return NULL; 617 return NULL;
618 } 618 }
619 619
620 if (ngx_strncmp(name->data, "upstream_cookie_", 16) == 0) { 620 if (name->len >= 16
621 && ngx_strncmp(name->data, "upstream_cookie_", 16) == 0)
622 {
621 623
622 if (ngx_http_upstream_cookie_variable(r, vv, (uintptr_t) name) 624 if (ngx_http_upstream_cookie_variable(r, vv, (uintptr_t) name)
623 == NGX_OK) 625 == NGX_OK)
624 { 626 {
625 return vv; 627 return vv;
626 } 628 }
627 629
628 return NULL; 630 return NULL;
629 } 631 }
630 632
631 if (ngx_strncmp(name->data, "arg_", 4) == 0) { 633 if (name->len >= 4 && ngx_strncmp(name->data, "arg_", 4) == 0) {
632 634
633 if (ngx_http_variable_argument(r, vv, (uintptr_t) name) == NGX_OK) { 635 if (ngx_http_variable_argument(r, vv, (uintptr_t) name) == NGX_OK) {
634 return vv; 636 return vv;
635 } 637 }
636 638
2533 2535
2534 goto next; 2536 goto next;
2535 } 2537 }
2536 } 2538 }
2537 2539
2538 if (ngx_strncmp(v[i].name.data, "http_", 5) == 0) { 2540 if (v[i].name.len >= 5
2541 && ngx_strncmp(v[i].name.data, "http_", 5) == 0)
2542 {
2539 v[i].get_handler = ngx_http_variable_unknown_header_in; 2543 v[i].get_handler = ngx_http_variable_unknown_header_in;
2540 v[i].data = (uintptr_t) &v[i].name; 2544 v[i].data = (uintptr_t) &v[i].name;
2541 2545
2542 continue; 2546 continue;
2543 } 2547 }
2544 2548
2545 if (ngx_strncmp(v[i].name.data, "sent_http_", 10) == 0) { 2549 if (v[i].name.len >= 10
2550 && ngx_strncmp(v[i].name.data, "sent_http_", 10) == 0)
2551 {
2546 v[i].get_handler = ngx_http_variable_unknown_header_out; 2552 v[i].get_handler = ngx_http_variable_unknown_header_out;
2547 v[i].data = (uintptr_t) &v[i].name; 2553 v[i].data = (uintptr_t) &v[i].name;
2548 2554
2549 continue; 2555 continue;
2550 } 2556 }
2551 2557
2552 if (ngx_strncmp(v[i].name.data, "upstream_http_", 14) == 0) { 2558 if (v[i].name.len >= 14
2559 && ngx_strncmp(v[i].name.data, "upstream_http_", 14) == 0)
2560 {
2553 v[i].get_handler = ngx_http_upstream_header_variable; 2561 v[i].get_handler = ngx_http_upstream_header_variable;
2554 v[i].data = (uintptr_t) &v[i].name; 2562 v[i].data = (uintptr_t) &v[i].name;
2555 v[i].flags = NGX_HTTP_VAR_NOCACHEABLE; 2563 v[i].flags = NGX_HTTP_VAR_NOCACHEABLE;
2556 2564
2557 continue; 2565 continue;
2558 } 2566 }
2559 2567
2560 if (ngx_strncmp(v[i].name.data, "cookie_", 7) == 0) { 2568 if (v[i].name.len >= 7
2569 && ngx_strncmp(v[i].name.data, "cookie_", 7) == 0)
2570 {
2561 v[i].get_handler = ngx_http_variable_cookie; 2571 v[i].get_handler = ngx_http_variable_cookie;
2562 v[i].data = (uintptr_t) &v[i].name; 2572 v[i].data = (uintptr_t) &v[i].name;
2563 2573
2564 continue; 2574 continue;
2565 } 2575 }
2566 2576
2567 if (ngx_strncmp(v[i].name.data, "upstream_cookie_", 16) == 0) { 2577 if (v[i].name.len >= 16
2578 && ngx_strncmp(v[i].name.data, "upstream_cookie_", 16) == 0)
2579 {
2568 v[i].get_handler = ngx_http_upstream_cookie_variable; 2580 v[i].get_handler = ngx_http_upstream_cookie_variable;
2569 v[i].data = (uintptr_t) &v[i].name; 2581 v[i].data = (uintptr_t) &v[i].name;
2570 v[i].flags = NGX_HTTP_VAR_NOCACHEABLE; 2582 v[i].flags = NGX_HTTP_VAR_NOCACHEABLE;
2571 2583
2572 continue; 2584 continue;
2573 } 2585 }
2574 2586
2575 if (ngx_strncmp(v[i].name.data, "arg_", 4) == 0) { 2587 if (v[i].name.len >= 4
2588 && ngx_strncmp(v[i].name.data, "arg_", 4) == 0)
2589 {
2576 v[i].get_handler = ngx_http_variable_argument; 2590 v[i].get_handler = ngx_http_variable_argument;
2577 v[i].data = (uintptr_t) &v[i].name; 2591 v[i].data = (uintptr_t) &v[i].name;
2578 v[i].flags = NGX_HTTP_VAR_NOCACHEABLE; 2592 v[i].flags = NGX_HTTP_VAR_NOCACHEABLE;
2579 2593
2580 continue; 2594 continue;