Rewrite: fixed escaping and possible segfault (ticket #162).

The following code resulted in incorrect escaping of uri and possible segfault: location / { rewrite ^(.*) $1?c=$1; return 200 "$uri"; } If there were arguments in a rewrite's replacement string, and length was actually calculated (due to duplicate captures as in the example above, or variables present), the is_args flag was set and incorrectly copied after length calculation. This resulted in escaping applied to the uri part of the replacement, resulting in incorrect escaping. Additionally, buffer was allocated without escaping expected, thus this also resulted in buffer overrun and possible segfault.
2024-12-28 09:51:04 -06:00 · 2012-05-11 13:19:22 +00:00 · 2012-05-11 13:19:22 +00:00 · 74d939974d
commit 74d939974d
parent 9114f08863
1 changed files with 0 additions and 1 deletions
--- a/src/http/ngx_http_script.c
+++ b/src/http/ngx_http_script.c
@ -1043,7 +1043,6 @@ ngx_http_script_regex_start_code(ngx_http_script_engine_t *e)
        }

        e->buf.len = len;
-        e->is_args = le.is_args;
    }

    if (code->add_args && r->args.len) {