Mercurial > hg > nginx

--- a/src/http/modules/ngx_http_geo_module.c
+++ b/src/http/modules/ngx_http_geo_module.c
@@ -322,6 +322,13 @@ ngx_http_geo_block(ngx_conf_t *cf, ngx_c
     }

     name = value[1];
+
+    if (name.len < 2 || name.data[0] != '$') {
+        ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
+                           "invalid variable name \"%V\"", &name);
+        return NGX_CONF_ERROR;
+    }
+
     name.len--;
     name.data++;
--- a/src/http/modules/ngx_http_limit_conn_module.c
+++ b/src/http/modules/ngx_http_limit_conn_module.c
@@ -540,7 +540,7 @@ ngx_http_limit_conn_zone(ngx_conf_t *cf,
             continue;
         }

-        if (value[i].data[0] == '$') {
+        if (value[i].len > 1 && value[i].data[0] == '$') {

             value[i].len--;
             value[i].data++;
@@ -613,7 +613,7 @@ ngx_http_limit_zone(ngx_conf_t *cf, ngx_

     value = cf->args->elts;

-    if (value[2].data[0] != '$') {
+    if (value[2].len < 2 || value[2].data[0] != '$') {
         ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
                            "invalid variable name \"%V\"", &value[2]);
         return NGX_CONF_ERROR;
--- a/src/http/modules/ngx_http_rewrite_module.c
+++ b/src/http/modules/ngx_http_rewrite_module.c
@@ -908,7 +908,7 @@ ngx_http_rewrite_set(ngx_conf_t *cf, ngx

     value = cf->args->elts;

-    if (value[1].data[0] != '$') {
+    if (value[1].len < 2 || value[1].data[0] != '$') {
         ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
                            "invalid variable name \"%V\"", &value[1]);
         return NGX_CONF_ERROR;
--- a/src/http/modules/perl/ngx_http_perl_module.c
+++ b/src/http/modules/perl/ngx_http_perl_module.c
@@ -968,7 +968,7 @@ ngx_http_perl_set(ngx_conf_t *cf, ngx_co

     value = cf->args->elts;

-    if (value[1].data[0] != '$') {
+    if (value[1].len < 2 || value[1].data[0] != '$') {
         ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
                            "invalid variable name \"%V\"", &value[1]);
         return NGX_CONF_ERROR;