Mercurial > hg > nginx
changeset 4528:00ccad19c53d
Fixed ssi and perl interaction.
Embedded perl module assumes there is a space for terminating NUL character,
make sure to provide it in all situations by allocating one extra byte for
value buffer. Default ssi_value_length is reduced accordingly to
preserve 256 byte allocations.
While here, fixed another one byte value buffer overrun possible in
ssi_quoted_symbol_state.
Reported by Matthew Daley.
| author | Maxim Dounin <mdounin@mdounin.ru> |
|---|---|
| date | Thu, 15 Mar 2012 11:23:07 +0000 |
| parents | 9c3a2fc3c460 |
| children | 1ebec1d15a25 |
| files | src/http/modules/ngx_http_ssi_filter_module.c |
| diffstat | 1 files changed, 12 insertions(+), 2 deletions(-) [+] |
line wrap: on
line diff
--- a/src/http/modules/ngx_http_ssi_filter_module.c +++ b/src/http/modules/ngx_http_ssi_filter_module.c @@ -1204,7 +1204,7 @@ ngx_http_ssi_parse(ngx_http_request_t *r if (ctx->value_buf == NULL) { ctx->param->value.data = ngx_pnalloc(r->pool, - ctx->value_len); + ctx->value_len + 1); if (ctx->param->value.data == NULL) { return NGX_ERROR; } @@ -1375,6 +1375,16 @@ ngx_http_ssi_parse(ngx_http_request_t *r case ssi_quoted_symbol_state: state = ctx->saved_state; + if (ctx->param->value.len == ctx->value_len) { + ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, + "too long \"%V%c...\" value of \"%V\" " + "parameter in \"%V\" SSI command", + &ctx->param->value, ch, &ctx->param->key, + &ctx->command); + state = ssi_error_state; + break; + } + ctx->param->value.data[ctx->param->value.len++] = ch; break; @@ -2886,7 +2896,7 @@ ngx_http_ssi_merge_loc_conf(ngx_conf_t * prev->ignore_recycled_buffers, 0); ngx_conf_merge_size_value(conf->min_file_chunk, prev->min_file_chunk, 1024); - ngx_conf_merge_size_value(conf->value_len, prev->value_len, 256); + ngx_conf_merge_size_value(conf->value_len, prev->value_len, 255); if (ngx_http_merge_types(cf, &conf->types_keys, &conf->types, &prev->types_keys, &prev->types,