Mercurial > hg > nginx

changeset 7605:02a539522be4

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Tolerate '\0' in URI when mapping URI to path. If a rewritten URI has the null character, only a part of URI was copied to a memory buffer allocated for path. In some setups this could be exploited to expose uninitialized memory via the Location header.
author Ruslan Ermilov <ru@nginx.com>
date Mon, 16 Dec 2019 15:19:01 +0300
parents 7aa20af4ac00
children db8df9cd84c8
files src/http/ngx_http_core_module.c
diffstat 1 files changed, 2 insertions(+), 1 deletions(-) [+]
line wrap: on
line diff
--- a/src/http/ngx_http_core_module.c
+++ b/src/http/ngx_http_core_module.c
@@ -1843,7 +1843,8 @@ ngx_http_map_uri_to_path(ngx_http_reques
         }
     }
 
-    last = ngx_cpystrn(last, r->uri.data + alias, r->uri.len - alias + 1);
+    last = ngx_copy(last, r->uri.data + alias, r->uri.len - alias);
+    *last = '\0';
 
     return last;
 }