upstream/nginx
1
0
Fork 0
mirror of https://github.com/nginx/nginx.git synced 2026-05-26 11:12:42 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 1
nginx/src
History
Roman Arutyunyan 3f135ae2eb Rewrite: fix buffer overflow with overlapping captures 
When the rewrite replacement string had no variables, but had
overlapping captures, the length of the allocated buffer could be
smaller than the replacement string.  This could happen either
when the "redirect" parameter is specified, or when arguments are
present in the replacement string.

The following configurations resulted in heap buffer overflow when
using URI "/++++++++++++++++++++++++++++++":

    location / {
        rewrite ^/((.*))$ http://127.0.0.1:8080/$1$2 redirect;
        return 200 foo;
    }

    location / {
        rewrite ^/((.*))$ http://127.0.0.1:8080/?$1$2;
        return 200 foo;
    }

Reported by Mufeed VH of Winfunc Research.
2026-05-22 19:07:28 +04:00
..
core Version bump 2026-05-22 19:07:28 +04:00
event QUIC: avoid assigning unvalidated address to new streams 2026-05-13 21:20:55 +04:00
http Rewrite: fix buffer overflow with overlapping captures 2026-05-22 19:07:28 +04:00
mail Mail: fixed clearing s->passwd in auth http requests. 2026-03-24 18:46:36 +04:00
misc Cpp test: added stream. 2020-10-13 07:44:09 +03:00
os Win32: fixed C4319 warning with MSVC 2022 x86. 2025-12-24 11:41:43 -07:00
stream Fixed the "include" directive inside the "geo" block. 2026-03-24 11:20:16 -07:00