Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

Bugfix: missing string terminator while mounting the charset (nginx) #148

Merged
merged 1 commit into from

2 participants

@zimmerle
Owner

The charset in headers is mounted using ngx_snprintf which
does not place the string terminator. This patch adds the
terminator at the end of the string. The size was correctly
allocated, just missing the terminator.

This bug was report at:

Both reports comes with patch, first by Veli Pekka Jutila and
second by wellumies.

@zimmerle zimmerle Bugfix: missing string terminator while mounting the charset (nginx)
The charset in headers is mounted using ngx_snprintf which
does not place the string terminator. This patch adds the
terminator at the end of the string. The size was correctly
allocated, just missing the terminator.

This bug was report at:
- https://www.modsecurity.org/tracker/browse/MODSEC-420
- SpiderLabs#142

Both reports cames with patch, first by Veli Pekka Jutila and
second by wellumies.
ff19dcd
@rcbarnett rcbarnett merged commit b76e26d into from
@ahuango ahuango referenced this pull request from a commit in ahuango/ModSecurity
@ahuango ahuango Clean the garbage character after the duplicated charset property
Pull request #148 by zimmerle doesn't fix the problem. '\0' in format
string won't be processed by "ngx_vslprintf".
When the garbage character is '\n' or '\r', http response is cracked and
browsers may go crashing.
8f70871
@zimmerle zimmerle referenced this pull request from a commit
@ahuango ahuango Clean the garbage character after the duplicated charset property
Pull request #148 by zimmerle doesn't fix the problem. '\0' in format
string won't be processed by "ngx_vslprintf".
When the garbage character is '\n' or '\r', http response is cracked and
browsers may go crashing.
b788ce2
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on Oct 1, 2013
  1. @zimmerle

    Bugfix: missing string terminator while mounting the charset (nginx)

    zimmerle authored
    The charset in headers is mounted using ngx_snprintf which
    does not place the string terminator. This patch adds the
    terminator at the end of the string. The size was correctly
    allocated, just missing the terminator.
    
    This bug was report at:
    - https://www.modsecurity.org/tracker/browse/MODSEC-420
    - SpiderLabs#142
    
    Both reports cames with patch, first by Veli Pekka Jutila and
    second by wellumies.
This page is out of date. Refresh to see the latest.
Showing with 1 addition and 1 deletion.
  1. +1 −1  nginx/modsecurity/ngx_http_modsecurity.c
View
2  nginx/modsecurity/ngx_http_modsecurity.c
@@ -615,7 +615,7 @@ ngx_http_modsecurity_load_headers_out(ngx_http_request_t *r)
}
ngx_snprintf(content_type, content_type_len,
- "%V; charset=%V",
+ "%V; charset=%V\0",
&r->headers_out.content_type,
&r->headers_out.charset);
Something went wrong with that request. Please try again.