Mercurial > hg > nginx

changeset 7539:d75153522557

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
SSI: avoid potential buffer overflow. When "-" follows a parameter of maximum length, a single byte buffer overflow happens, since the error branch does not check parameter length. Fix is to avoid saving "-" to the parameter key, and instead use an error message with "-" explicitly written. The message is mostly identical to one used in similar cases in the preequal state. Reported by Patrick Wollgast.
author Maxim Dounin <mdounin@mdounin.ru>
date Thu, 18 Jul 2019 18:27:53 +0300
parents 08ed570ad93c
children 9a970c905045
files src/http/modules/ngx_http_ssi_filter_module.c
diffstat 1 files changed, 2 insertions(+), 2 deletions(-) [+]
line wrap: on
line diff
--- a/src/http/modules/ngx_http_ssi_filter_module.c
+++ b/src/http/modules/ngx_http_ssi_filter_module.c
@@ -1254,9 +1254,9 @@ ngx_http_ssi_parse(ngx_http_request_t *r
             case '-':
                 state = ssi_error_end0_state;
 
-                ctx->param->key.data[ctx->param->key.len++] = ch;
                 ngx_log_error(NGX_LOG_ERR, r->connection->log, 0,
-                              "invalid \"%V\" parameter in \"%V\" SSI command",
+                              "unexpected \"-\" symbol after \"%V\" "
+                              "parameter in \"%V\" SSI command",
                               &ctx->param->key, &ctx->command);
                 break;