Mercurial > hg > nginx
comparison src/http/ngx_http_parse.c @ 4534:fb322541c548 stable-1.0
Merge of r4530, r4531: null character fixes.
*) Fixed incorrect ngx_cpystrn() usage in ngx_http_*_process_header().
This resulted in a disclosure of previously freed memory if upstream
server returned specially crafted response, potentially exposing
sensitive information.
Reported by Matthew Daley.
*) Headers with null character are now rejected.
Headers with NUL character aren't allowed by HTTP standard and may cause
various security problems. They are now unconditionally rejected.
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Thu, 15 Mar 2012 11:41:43 +0000 |
parents | 4919fb357a5d |
children |
comparison
equal
deleted
inserted
replaced
4533:65ff9ed7feb2 | 4534:fb322541c548 |
---|---|
812 r->lowcase_header[0] = c; | 812 r->lowcase_header[0] = c; |
813 i = 1; | 813 i = 1; |
814 break; | 814 break; |
815 } | 815 } |
816 | 816 |
817 if (ch == '\0') { | |
818 return NGX_HTTP_PARSE_INVALID_HEADER; | |
819 } | |
820 | |
817 r->invalid_header = 1; | 821 r->invalid_header = 1; |
818 | 822 |
819 break; | 823 break; |
820 | 824 |
821 } | 825 } |
874 { | 878 { |
875 state = sw_ignore_line; | 879 state = sw_ignore_line; |
876 break; | 880 break; |
877 } | 881 } |
878 | 882 |
883 if (ch == '\0') { | |
884 return NGX_HTTP_PARSE_INVALID_HEADER; | |
885 } | |
886 | |
879 r->invalid_header = 1; | 887 r->invalid_header = 1; |
880 | 888 |
881 break; | 889 break; |
882 | 890 |
883 /* space* before header value */ | 891 /* space* before header value */ |
892 break; | 900 break; |
893 case LF: | 901 case LF: |
894 r->header_start = p; | 902 r->header_start = p; |
895 r->header_end = p; | 903 r->header_end = p; |
896 goto done; | 904 goto done; |
905 case '\0': | |
906 return NGX_HTTP_PARSE_INVALID_HEADER; | |
897 default: | 907 default: |
898 r->header_start = p; | 908 r->header_start = p; |
899 state = sw_value; | 909 state = sw_value; |
900 break; | 910 break; |
901 } | 911 } |
913 state = sw_almost_done; | 923 state = sw_almost_done; |
914 break; | 924 break; |
915 case LF: | 925 case LF: |
916 r->header_end = p; | 926 r->header_end = p; |
917 goto done; | 927 goto done; |
928 case '\0': | |
929 return NGX_HTTP_PARSE_INVALID_HEADER; | |
918 } | 930 } |
919 break; | 931 break; |
920 | 932 |
921 /* space* before end of header line */ | 933 /* space* before end of header line */ |
922 case sw_space_after_value: | 934 case sw_space_after_value: |
926 case CR: | 938 case CR: |
927 state = sw_almost_done; | 939 state = sw_almost_done; |
928 break; | 940 break; |
929 case LF: | 941 case LF: |
930 goto done; | 942 goto done; |
943 case '\0': | |
944 return NGX_HTTP_PARSE_INVALID_HEADER; | |
931 default: | 945 default: |
932 state = sw_value; | 946 state = sw_value; |
933 break; | 947 break; |
934 } | 948 } |
935 break; | 949 break; |