upstream/nginx
1
0
Fork 0
mirror of https://github.com/nginx/nginx.git synced 2026-06-10 01:10:15 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Rewrite: fixed escaping and possible buffer overrun

Browse source 
The following code resulted in incorrect escaping of $1 and possible
segfault:

    location / {
        rewrite ^(.*) /new?c=1;
        set $myvar $1;
        return 200 $myvar;
    }

If there were arguments in a rewrite's replacement string, the is_args flag
was set and incorrectly never cleared.  This resulted in escaping applied
to any captures evaluated afterwards in set or if.  Additionally buffer was
allocated by ngx_http_script_complex_value_code() without escaping expected,
thus this also resulted in buffer overrun and possible segfault.

A similar issue was fixed in 74d939974d.

Reported by Leo Lin.
This commit is contained in:
Roman Arutyunyan 2026-04-22 09:39:31 +04:00 committed by Sergey Kandaurov
parent 5f86648ef8
commit 2046b45aa0
1 changed files with 1 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
src/http/ngx_http_script.c
View file

@ -1202,6 +1202,7 @@ ngx_http_script_regex_end_code(ngx_http_script_engine_t *e)
r = e->request;
e->is_args = 0;
e->quote = 0;
ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,