New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Control flow hijack in njs_value_property #324
Comments
|
Thanks for the reporting, will be fixed. Regarding remote exploitability: nginx-njs threat model considers njs code as a part of nginx configuration (which includes among other things certificates and keys). So, njs code is expected to be not controllable by a remote user. |
|
@xeioex , @Changochen , When running Can I assume that our nginx is not affected by this defect? Thanks. |
|
Yes, you are not affected.
|
|
Thanks @xeioex for the confirmation. |
This correctly fixes the issues addressed in 1405:9beb9ea093b5. The initial fix wrongly assumed that the "value" pointer is still valid when njs_is_fast_array(&state->value) is true and the pointer can be used for the fast path. This is not the case when the array object is resized. Moreover, the fast path branch may be completely eliminated because JSON.parse() with the replacer function is relatively slow by itself. This closes #323, #324, #325 issues on GitHub.
|
Fixed in 9ab425e. |
Version:
0.4.2, git commit32a70c899c1f136fbc3f97fcc050d59e0bd8c6a5This bug is likely exploitable.
POC:
cmd:
njs poc.jsStack dump:
The text was updated successfully, but these errors were encountered: