Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bugfix: missing string terminator while mounting the charset (nginx) #148

Merged
merged 1 commit into from Oct 1, 2013
Merged

Bugfix: missing string terminator while mounting the charset (nginx) #148

merged 1 commit into from Oct 1, 2013

Conversation

zimmerle
Copy link
Contributor

@zimmerle zimmerle commented Oct 1, 2013

The charset in headers is mounted using ngx_snprintf which
does not place the string terminator. This patch adds the
terminator at the end of the string. The size was correctly
allocated, just missing the terminator.

This bug was report at:

Both reports comes with patch, first by Veli Pekka Jutila and
second by wellumies.

@zimmerle
Bugfix: missing string terminator while mounting the charset (nginx)
ff19dcd 
The charset in headers is mounted using ngx_snprintf which
does not place the string terminator. This patch adds the
terminator at the end of the string. The size was correctly
allocated, just missing the terminator.

This bug was report at:
- https://www.modsecurity.org/tracker/browse/MODSEC-420
- owasp-modsecurity#142

Both reports cames with patch, first by Veli Pekka Jutila and
second by wellumies.
rcbarnett-zz pushed a commit that referenced this pull request Oct 1, 2013
@rcbarnett
Merge pull request #148 from zimmerle/bugfix_charset_missing_string_t…
b76e26d 
…erminator

Bugfix: missing string terminator while mounting the charset (nginx)
@rcbarnett-zz rcbarnett-zz merged commit b76e26d into owasp-modsecurity:remotes/trunk Oct 1, 2013
@rcbarnett-zz rcbarnett-zz mentioned this pull request Oct 17, 2013
Closed
ahuango added a commit to ahuango/ModSecurity that referenced this pull request Dec 12, 2013
@ahuango
Clean the garbage character after the duplicated charset property
8f70871 
Pull request owasp-modsecurity#148 by zimmerle doesn't fix the problem. '\0' in format
string won't be processed by "ngx_vslprintf".
When the garbage character is '\n' or '\r', http response is cracked and
browsers may go crashing.
@ahuango ahuango mentioned this pull request Dec 12, 2013
Closed
zimmerle pushed a commit that referenced this pull request Dec 19, 2013
@ahuango
Clean the garbage character after the duplicated charset property
b788ce2 
Pull request #148 by zimmerle doesn't fix the problem. '\0' in format
string won't be processed by "ngx_vslprintf".
When the garbage character is '\n' or '\r', http response is cracked and
browsers may go crashing.
@zimmerle zimmerle mentioned this pull request Dec 21, 2013
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@zimmerle @rcbarnett-zz