From 44eade9c1df4ef009d9fcd7721d8e4c34370ca1d Mon Sep 17 00:00:00 2001 From: Maxim Dounin Date: Thu, 15 Mar 2012 11:41:43 +0000 Subject: Merge of r4530, r4531: null character fixes. *) Fixed incorrect ngx_cpystrn() usage in ngx_http_*_process_header(). This resulted in a disclosure of previously freed memory if upstream server returned specially crafted response, potentially exposing sensitive information. Reported by Matthew Daley. *) Headers with null character are now rejected. Headers with NUL character aren't allowed by HTTP standard and may cause various security problems. They are now unconditionally rejected. --- src/http/modules/ngx_http_uwsgi_module.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) (limited to 'src/http/modules/ngx_http_uwsgi_module.c') diff --git a/src/http/modules/ngx_http_uwsgi_module.c b/src/http/modules/ngx_http_uwsgi_module.c index 367388e63..fb5ff0d78 100644 --- a/src/http/modules/ngx_http_uwsgi_module.c +++ b/src/http/modules/ngx_http_uwsgi_module.c @@ -947,8 +947,10 @@ ngx_http_uwsgi_process_header(ngx_http_request_t *r) h->value.data = h->key.data + h->key.len + 1; h->lowcase_key = h->key.data + h->key.len + 1 + h->value.len + 1; - ngx_cpystrn(h->key.data, r->header_name_start, h->key.len + 1); - ngx_cpystrn(h->value.data, r->header_start, h->value.len + 1); + ngx_memcpy(h->key.data, r->header_name_start, h->key.len); + h->key.data[h->key.len] = '\0'; + ngx_memcpy(h->value.data, r->header_start, h->value.len); + h->value.data[h->value.len] = '\0'; if (h->key.len == r->lowcase_index) { ngx_memcpy(h->lowcase_key, r->lowcase_header, h->key.len); -- cgit