IntenseWebs/nginx
3
0
Fork 0
mirror of https://github.com/nginx/nginx.git synced 2025-02-25 18:55:26 -06:00
Code Issues Packages Projects Releases Wiki Activity

Fixed variables prefix comparison.

Browse Source 
Variable names are not null-terminated, so using ngx_strncmp() without
extra length checks is wrong.

Reported by Markus Linnala,
http://mailman.nginx.org/pipermail/nginx-devel/2015-August/007211.html.
This commit is contained in:
Maxim Dounin 2015-10-19 21:28:17 +03:00
parent b9e0b9df44
commit cc74c63d39
1 changed files with 26 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
src/http/ngx_http_variables.c
View File

@ -575,7 +575,7 @@ ngx_http_get_variable(ngx_http_request_t *r, ngx_str_t *name, ngx_uint_t key)
return NULL;
}
if (ngx_strncmp(name->data, "http_", 5) == 0) {
if (name->len >= 5 && ngx_strncmp(name->data, "http_", 5) == 0) {
if (ngx_http_variable_unknown_header_in(r, vv, (uintptr_t) name)
== NGX_OK)
@ -586,7 +586,7 @@ ngx_http_get_variable(ngx_http_request_t *r, ngx_str_t *name, ngx_uint_t key)
return NULL;
}
if (ngx_strncmp(name->data, "sent_http_", 10) == 0) {
if (name->len >= 10 && ngx_strncmp(name->data, "sent_http_", 10) == 0) {
if (ngx_http_variable_unknown_header_out(r, vv, (uintptr_t) name)
== NGX_OK)
@ -597,7 +597,7 @@ ngx_http_get_variable(ngx_http_request_t *r, ngx_str_t *name, ngx_uint_t key)
return NULL;
}
if (ngx_strncmp(name->data, "upstream_http_", 14) == 0) {
if (name->len >= 14 && ngx_strncmp(name->data, "upstream_http_", 14) == 0) {
if (ngx_http_upstream_header_variable(r, vv, (uintptr_t) name)
== NGX_OK)
@ -608,7 +608,7 @@ ngx_http_get_variable(ngx_http_request_t *r, ngx_str_t *name, ngx_uint_t key)
return NULL;
}
if (ngx_strncmp(name->data, "cookie_", 7) == 0) {
if (name->len >= 7 && ngx_strncmp(name->data, "cookie_", 7) == 0) {
if (ngx_http_variable_cookie(r, vv, (uintptr_t) name) == NGX_OK) {
return vv;
@ -617,7 +617,9 @@ ngx_http_get_variable(ngx_http_request_t *r, ngx_str_t *name, ngx_uint_t key)
return NULL;
}
if (ngx_strncmp(name->data, "upstream_cookie_", 16) == 0) {
if (name->len >= 16
&& ngx_strncmp(name->data, "upstream_cookie_", 16) == 0)
{
if (ngx_http_upstream_cookie_variable(r, vv, (uintptr_t) name)
== NGX_OK)
@ -628,7 +630,7 @@ ngx_http_get_variable(ngx_http_request_t *r, ngx_str_t *name, ngx_uint_t key)
return NULL;
}
if (ngx_strncmp(name->data, "arg_", 4) == 0) {
if (name->len >= 4 && ngx_strncmp(name->data, "arg_", 4) == 0) {
if (ngx_http_variable_argument(r, vv, (uintptr_t) name) == NGX_OK) {
return vv;
@ -2535,21 +2537,27 @@ ngx_http_variables_init_vars(ngx_conf_t *cf)
}
}
if (ngx_strncmp(v[i].name.data, "http_", 5) == 0) {
if (v[i].name.len >= 5
&& ngx_strncmp(v[i].name.data, "http_", 5) == 0)
{
v[i].get_handler = ngx_http_variable_unknown_header_in;
v[i].data = (uintptr_t) &v[i].name;
continue;
}
if (ngx_strncmp(v[i].name.data, "sent_http_", 10) == 0) {
if (v[i].name.len >= 10
&& ngx_strncmp(v[i].name.data, "sent_http_", 10) == 0)
{
v[i].get_handler = ngx_http_variable_unknown_header_out;
v[i].data = (uintptr_t) &v[i].name;
continue;
}
if (ngx_strncmp(v[i].name.data, "upstream_http_", 14) == 0) {
if (v[i].name.len >= 14
&& ngx_strncmp(v[i].name.data, "upstream_http_", 14) == 0)
{
v[i].get_handler = ngx_http_upstream_header_variable;
v[i].data = (uintptr_t) &v[i].name;
v[i].flags = NGX_HTTP_VAR_NOCACHEABLE;
@ -2557,14 +2565,18 @@ ngx_http_variables_init_vars(ngx_conf_t *cf)
continue;
}
if (ngx_strncmp(v[i].name.data, "cookie_", 7) == 0) {
if (v[i].name.len >= 7
&& ngx_strncmp(v[i].name.data, "cookie_", 7) == 0)
{
v[i].get_handler = ngx_http_variable_cookie;
v[i].data = (uintptr_t) &v[i].name;
continue;
}
if (ngx_strncmp(v[i].name.data, "upstream_cookie_", 16) == 0) {
if (v[i].name.len >= 16
&& ngx_strncmp(v[i].name.data, "upstream_cookie_", 16) == 0)
{
v[i].get_handler = ngx_http_upstream_cookie_variable;
v[i].data = (uintptr_t) &v[i].name;
v[i].flags = NGX_HTTP_VAR_NOCACHEABLE;
@ -2572,7 +2584,9 @@ ngx_http_variables_init_vars(ngx_conf_t *cf)
continue;
}
if (ngx_strncmp(v[i].name.data, "arg_", 4) == 0) {
if (v[i].name.len >= 4
&& ngx_strncmp(v[i].name.data, "arg_", 4) == 0)
{
v[i].get_handler = ngx_http_variable_argument;
v[i].data = (uintptr_t) &v[i].name;
v[i].flags = NGX_HTTP_VAR_NOCACHEABLE;