IntenseWebs/nginx
3
0
Fork 0
mirror of https://github.com/nginx/nginx.git synced 2025-02-25 18:55:26 -06:00
Code Issues Packages Projects Releases Wiki Activity

Fixed ssi and perl interaction.

Browse Source 
Embedded perl module assumes there is a space for terminating NUL character,
make sure to provide it in all situations by allocating one extra byte for
value buffer.  Default ssi_value_length is reduced accordingly to
preserve 256 byte allocations.

While here, fixed another one byte value buffer overrun possible in
ssi_quoted_symbol_state.

Reported by Matthew Daley.
This commit is contained in:
Maxim Dounin
2012-03-15 11:23:07 +00:00
parent 205394e6f9
commit 030e235ec7
1 changed files with 12 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
src/http/modules/ngx_http_ssi_filter_module.c
View File

@@ -1204,7 +1204,7 @@ ngx_http_ssi_parse(ngx_http_request_t *r, ngx_http_ssi_ctx_t *ctx)
if (ctx->value_buf == NULL) {
ctx->param->value.data = ngx_pnalloc(r->pool,
ctx->value_len);
ctx->value_len + 1);
if (ctx->param->value.data == NULL) {
return NGX_ERROR;
}
@@ -1375,6 +1375,16 @@ ngx_http_ssi_parse(ngx_http_request_t *r, ngx_http_ssi_ctx_t *ctx)
case ssi_quoted_symbol_state:
state = ctx->saved_state;
if (ctx->param->value.len == ctx->value_len) {
ngx_log_error(NGX_LOG_ERR, r->connection->log, 0,
"too long \"%V%c...\" value of \"%V\" "
"parameter in \"%V\" SSI command",
&ctx->param->value, ch, &ctx->param->key,
&ctx->command);
state = ssi_error_state;
break;
}
ctx->param->value.data[ctx->param->value.len++] = ch;
break;
@@ -2886,7 +2896,7 @@ ngx_http_ssi_merge_loc_conf(ngx_conf_t *cf, void *parent, void *child)
prev->ignore_recycled_buffers, 0);
ngx_conf_merge_size_value(conf->min_file_chunk, prev->min_file_chunk, 1024);
ngx_conf_merge_size_value(conf->value_len, prev->value_len, 256);
ngx_conf_merge_size_value(conf->value_len, prev->value_len, 255);
if (ngx_http_merge_types(cf, &conf->types_keys, &conf->types,
&prev->types_keys, &prev->types,