Mercurial > hg > nginx
diff src/http/ngx_http_core_module.c @ 7605:02a539522be4
Tolerate '\0' in URI when mapping URI to path.
If a rewritten URI has the null character, only a part of URI was
copied to a memory buffer allocated for path. In some setups this
could be exploited to expose uninitialized memory via the Location
header.
author | Ruslan Ermilov <ru@nginx.com> |
---|---|
date | Mon, 16 Dec 2019 15:19:01 +0300 |
parents | a7e8f953408e |
children | 1055e43e4fab |
line wrap: on
line diff
--- a/src/http/ngx_http_core_module.c +++ b/src/http/ngx_http_core_module.c @@ -1843,7 +1843,8 @@ ngx_http_map_uri_to_path(ngx_http_reques } } - last = ngx_cpystrn(last, r->uri.data + alias, r->uri.len - alias + 1); + last = ngx_copy(last, r->uri.data + alias, r->uri.len - alias); + *last = '\0'; return last; }