Mercurial > hg > nginx
comparison src/http/modules/ngx_http_scgi_module.c @ 4534:fb322541c548 stable-1.0
Merge of r4530, r4531: null character fixes.
*) Fixed incorrect ngx_cpystrn() usage in ngx_http_*_process_header().
This resulted in a disclosure of previously freed memory if upstream
server returned specially crafted response, potentially exposing
sensitive information.
Reported by Matthew Daley.
*) Headers with null character are now rejected.
Headers with NUL character aren't allowed by HTTP standard and may cause
various security problems. They are now unconditionally rejected.
| author | Maxim Dounin <mdounin@mdounin.ru> |
|---|---|
| date | Thu, 15 Mar 2012 11:41:43 +0000 |
| parents | 4919fb357a5d |
| children |
comparison
equal
deleted
inserted
replaced
| 4533:65ff9ed7feb2 | 4534:fb322541c548 |
|---|---|
| 892 } | 892 } |
| 893 | 893 |
| 894 h->value.data = h->key.data + h->key.len + 1; | 894 h->value.data = h->key.data + h->key.len + 1; |
| 895 h->lowcase_key = h->key.data + h->key.len + 1 + h->value.len + 1; | 895 h->lowcase_key = h->key.data + h->key.len + 1 + h->value.len + 1; |
| 896 | 896 |
| 897 ngx_cpystrn(h->key.data, r->header_name_start, h->key.len + 1); | 897 ngx_memcpy(h->key.data, r->header_name_start, h->key.len); |
| 898 ngx_cpystrn(h->value.data, r->header_start, h->value.len + 1); | 898 h->key.data[h->key.len] = '\0'; |
| 899 ngx_memcpy(h->value.data, r->header_start, h->value.len); | |
| 900 h->value.data[h->value.len] = '\0'; | |
| 899 | 901 |
| 900 if (h->key.len == r->lowcase_index) { | 902 if (h->key.len == r->lowcase_index) { |
| 901 ngx_memcpy(h->lowcase_key, r->lowcase_header, h->key.len); | 903 ngx_memcpy(h->lowcase_key, r->lowcase_header, h->key.len); |
| 902 | 904 |
| 903 } else { | 905 } else { |