Permalink
Browse files

bugfix: the more_set_input_headers directive might cause invalid memo…

…ry reads because nginx request header values must be null terminated. thanks Maxim Dounin.
  • Loading branch information...
1 parent ffdda45 commit 7a719b8aefc67ac425d2ab84e186d08e9005152f @agentzh agentzh committed Dec 23, 2011
Showing with 22 additions and 27 deletions.
  1. +12 −21 src/ngx_http_headers_more_headers_in.c
  2. +8 −5 src/ngx_http_headers_more_util.c
  3. +2 −1 t/input.t
@@ -117,6 +117,7 @@ ngx_http_headers_more_exec_input_cmd(ngx_http_request_t *r,
ngx_str_t value;
ngx_http_headers_more_header_val_t *h;
ngx_uint_t i;
+ u_char *p;
if (!cmd->headers) {
return NGX_OK;
@@ -136,27 +137,17 @@ ngx_http_headers_more_exec_input_cmd(ngx_http_request_t *r,
}
#if 1
- /* XXX nginx core's ngx_http_range_parse
- * function requires null-terminated
- * Range header values. so we have to
- * work-around it here */
-
- if (h[i].key.len == sizeof("Range") - 1 &&
- ngx_strncasecmp(h[i].key.data, (u_char *) "Range",
- sizeof("Range") - 1) == 0)
- {
- u_char *p;
-
- p = ngx_palloc(r->pool, value.len + 1);
- if (p == NULL) {
- return NGX_ERROR;
- }
-
- ngx_memcpy(p, value.data, value.len);
- p[value.len] = '\0';
+ /* Nginx request header value requires to be a null-terminated
+ * C string */
- value.data = p;
+ p = ngx_palloc(r->pool, value.len + 1);
+ if (p == NULL) {
+ return NGX_ERROR;
}
+
+ ngx_memcpy(p, value.data, value.len);
+ p[value.len] = '\0';
+ value.data = p;
#endif
if (h[i].handler(r, &h[i], &value) != NGX_OK) {
@@ -528,8 +519,7 @@ ngx_http_headers_more_parse_directive(ngx_conf_t *cf, ngx_command_t *ngx_cmd,
}
ngx_log_error(NGX_LOG_ERR, cf->log, 0,
- "%V: invalid option name: \"%V\"",
- cmd_name, &arg[i]);
+ "%V: invalid option name: \"%V\"", cmd_name, &arg[i]);
return NGX_CONF_ERROR;
}
@@ -541,6 +531,7 @@ ngx_http_headers_more_parse_directive(ngx_conf_t *cf, ngx_command_t *ngx_cmd,
if (cmd->headers->nelts == 0) {
ngx_pfree(cf->pool, cmd->headers);
cmd->headers = NULL;
+
} else {
h = cmd->headers->elts;
for (i = 0; i < cmd->headers->nelts; i++) {
@@ -13,11 +13,11 @@ ngx_http_headers_more_parse_header(ngx_conf_t *cf, ngx_str_t *cmd_name,
{
ngx_http_headers_more_header_val_t *hv;
- ngx_uint_t i;
- ngx_str_t key = ngx_null_string;
- ngx_str_t value = ngx_null_string;
- ngx_flag_t seen_end_of_key;
- ngx_http_compile_complex_value_t ccv;
+ ngx_uint_t i;
+ ngx_str_t key = ngx_null_string;
+ ngx_str_t value = ngx_null_string;
+ ngx_flag_t seen_end_of_key;
+ ngx_http_compile_complex_value_t ccv;
hv = ngx_array_push(headers);
if (hv == NULL) {
@@ -114,8 +114,11 @@ ngx_http_headers_more_parse_header(ngx_conf_t *cf, ngx_str_t *cmd_name,
if (value.len == 0) {
ngx_memzero(&hv->value, sizeof(ngx_http_complex_value_t));
return NGX_OK;
+
}
+ /* compile the header value as a complex value */
+
ngx_memzero(&ccv, sizeof(ngx_http_compile_complex_value_t));
ccv.cf = cf;
View
@@ -426,7 +426,8 @@ X-Foo18: 18\r
--- skip_nginx: 3: < 0.7.46
-=== TEST 18: Accept-Encoding
+
+=== TEST 24: Accept-Encoding
--- config
location /bar {
default_type 'text/plain';

0 comments on commit 7a719b8

Please sign in to comment.