IntenseWebs/nginx
3
0
Fork 0
mirror of https://github.com/nginx/nginx.git synced 2024-12-27 17:31:35 -06:00
Code Issues Packages Projects Releases Wiki Activity

Tolerate '\0' in URI when mapping URI to path.

Browse Source 
If a rewritten URI has the null character, only a part of URI was
copied to a memory buffer allocated for path.  In some setups this
could be exploited to expose uninitialized memory via the Location
header.
This commit is contained in:
Ruslan Ermilov 2019-12-16 15:19:01 +03:00
parent af8ea176a7
commit a5895eb502
1 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
src/http/ngx_http_core_module.c
View File

@ -1843,7 +1843,8 @@ ngx_http_map_uri_to_path(ngx_http_request_t *r, ngx_str_t *path,
}
}
last = ngx_cpystrn(last, r->uri.data + alias, r->uri.len - alias + 1);
last = ngx_copy(last, r->uri.data + alias, r->uri.len - alias);
*last = '\0';
return last;
}