diff options
| author | Maxim Dounin <mdounin@mdounin.ru> | 2012-03-15 11:23:07 +0000 |
|---|---|---|
| committer | Maxim Dounin <mdounin@mdounin.ru> | 2012-03-15 11:23:07 +0000 |
| commit | 030e235ec70868469cb6aaf01f25fc29d579e028 (patch) | |
| tree | 04c937dbec32f2b6c56041bf59d26692bd059f30 | |
| parent | 205394e6f90c8aa2aac000e46d4b7a1eff5bbfd2 (diff) | |
| download | nginx-030e235ec70868469cb6aaf01f25fc29d579e028.tar.gz nginx-030e235ec70868469cb6aaf01f25fc29d579e028.tar.bz2 | |
Fixed ssi and perl interaction.
Embedded perl module assumes there is a space for terminating NUL character,
make sure to provide it in all situations by allocating one extra byte for
value buffer. Default ssi_value_length is reduced accordingly to
preserve 256 byte allocations.
While here, fixed another one byte value buffer overrun possible in
ssi_quoted_symbol_state.
Reported by Matthew Daley.
| -rw-r--r-- | src/http/modules/ngx_http_ssi_filter_module.c | 14 |
1 files changed, 12 insertions, 2 deletions
diff --git a/src/http/modules/ngx_http_ssi_filter_module.c b/src/http/modules/ngx_http_ssi_filter_module.c index b02300f39..0d86e692a 100644 --- a/src/http/modules/ngx_http_ssi_filter_module.c +++ b/src/http/modules/ngx_http_ssi_filter_module.c @@ -1204,7 +1204,7 @@ ngx_http_ssi_parse(ngx_http_request_t *r, ngx_http_ssi_ctx_t *ctx) if (ctx->value_buf == NULL) { ctx->param->value.data = ngx_pnalloc(r->pool, - ctx->value_len); + ctx->value_len + 1); if (ctx->param->value.data == NULL) { return NGX_ERROR; } @@ -1375,6 +1375,16 @@ ngx_http_ssi_parse(ngx_http_request_t *r, ngx_http_ssi_ctx_t *ctx) case ssi_quoted_symbol_state: state = ctx->saved_state; + if (ctx->param->value.len == ctx->value_len) { + ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, + "too long \"%V%c...\" value of \"%V\" " + "parameter in \"%V\" SSI command", + &ctx->param->value, ch, &ctx->param->key, + &ctx->command); + state = ssi_error_state; + break; + } + ctx->param->value.data[ctx->param->value.len++] = ch; break; @@ -2886,7 +2896,7 @@ ngx_http_ssi_merge_loc_conf(ngx_conf_t *cf, void *parent, void *child) prev->ignore_recycled_buffers, 0); ngx_conf_merge_size_value(conf->min_file_chunk, prev->min_file_chunk, 1024); - ngx_conf_merge_size_value(conf->value_len, prev->value_len, 256); + ngx_conf_merge_size_value(conf->value_len, prev->value_len, 255); if (ngx_http_merge_types(cf, &conf->types_keys, &conf->types, &prev->types_keys, &prev->types, |