Mercurial > hg > nginx

diff src/http/modules/ngx_http_fastcgi_module.c @ 4534:fb322541c548 stable-1.0

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Merge of r4530, r4531: null character fixes. *) Fixed incorrect ngx_cpystrn() usage in ngx_http_*_process_header(). This resulted in a disclosure of previously freed memory if upstream server returned specially crafted response, potentially exposing sensitive information. Reported by Matthew Daley. *) Headers with null character are now rejected. Headers with NUL character aren't allowed by HTTP standard and may cause various security problems. They are now unconditionally rejected.
author Maxim Dounin <mdounin@mdounin.ru>
date Thu, 15 Mar 2012 11:41:43 +0000
parents 4919fb357a5d
children
line wrap: on
line diff
--- a/src/http/modules/ngx_http_fastcgi_module.c
+++ b/src/http/modules/ngx_http_fastcgi_module.c
@@ -1446,10 +1446,10 @@ ngx_http_fastcgi_process_header(ngx_http
                     h->lowcase_key = h->key.data + h->key.len + 1
                                      + h->value.len + 1;
 
-                    ngx_cpystrn(h->key.data, r->header_name_start,
-                                h->key.len + 1);
-                    ngx_cpystrn(h->value.data, r->header_start,
-                                h->value.len + 1);
+                    ngx_memcpy(h->key.data, r->header_name_start, h->key.len);
+                    h->key.data[h->key.len] = '\0';
+                    ngx_memcpy(h->value.data, r->header_start, h->value.len);
+                    h->value.data[h->value.len] = '\0';
                 }
 
                 h->hash = r->header_hash;