nginx: src/http/ngx_http_parse.c comparison

comparison src/http/ngx_http_parse.c @ 4534:fb322541c548 stable-1.0

Merge of r4530, r4531: null character fixes. *) Fixed incorrect ngx_cpystrn() usage in ngx_http_*_process_header(). This resulted in a disclosure of previously freed memory if upstream server returned specially crafted response, potentially exposing sensitive information. Reported by Matthew Daley. *) Headers with null character are now rejected. Headers with NUL character aren't allowed by HTTP standard and may cause various security problems. They are now unconditionally rejected.

author	Maxim Dounin <mdounin@mdounin.ru>
date	Thu, 15 Mar 2012 11:41:43 +0000
parents	4919fb357a5d
children

comparison

equal deleted inserted replaced

-:65ff9ed7feb2
+:fb322541c548
 r->lowcase_header[0] = c;
 i = 1;
 break;
 }
+if (ch == '\0') {
+return NGX_HTTP_PARSE_INVALID_HEADER;
+}
 r->invalid_header = 1;
 break;
 }
 {
 state = sw_ignore_line;
 break;
 }
+if (ch == '\0') {
+return NGX_HTTP_PARSE_INVALID_HEADER;
+}
 r->invalid_header = 1;
 break;
 /* space* before header value */
 break;
 case LF:
 r->header_start = p;
 r->header_end = p;
 goto done;
+case '\0':
+return NGX_HTTP_PARSE_INVALID_HEADER;
 default:
 r->header_start = p;
 state = sw_value;
 break;
 }
 state = sw_almost_done;
 break;
 case LF:
 r->header_end = p;
 goto done;
+case '\0':
+return NGX_HTTP_PARSE_INVALID_HEADER;
 }
 break;
 /* space* before end of header line */
 case sw_space_after_value:
 case CR:
 state = sw_almost_done;
 break;
 case LF:
 goto done;
+case '\0':
+return NGX_HTTP_PARSE_INVALID_HEADER;
 default:
 state = sw_value;
 break;
 }
 break;

Mercurial > hg > nginx

comparison src/http/ngx_http_parse.c @ 4534:fb322541c548 stable-1.0