upstream/nginx
1
0
Fork 0
mirror of https://github.com/nginx/nginx.git synced 2026-06-10 17:31:53 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 1
nginx/src
History
Roman Arutyunyan ca4f92a274 Rewrite: fix buffer overflow with overlapping captures 
When the rewrite replacement string had no variables, but had
overlapping captures, the length of the allocated buffer could be
smaller than the replacement string.  This could happen either
when the "redirect" parameter is specified, or when arguments are
present in the replacement string.

The following configurations resulted in heap buffer overflow when
using URI "/++++++++++++++++++++++++++++++":

    location / {
        rewrite ^/((.*))$ http://127.0.0.1:8080/$1$2 redirect;
        return 200 foo;
    }

    location / {
        rewrite ^/((.*))$ http://127.0.0.1:8080/?$1$2;
        return 200 foo;
    }

Reported by Mufeed VH of Winfunc Research.
2026-05-22 18:55:09 +04:00
..
core Version bump 2026-05-13 20:19:15 +01:00
event QUIC: avoid assigning unvalidated address to new streams 2026-05-13 21:19:47 +04:00
http Rewrite: fix buffer overflow with overlapping captures 2026-05-22 18:55:09 +04:00
mail Mail: style 2026-05-15 16:25:01 +04:00
misc Cpp test: added stream. 2020-10-13 07:44:09 +03:00
os Win32: fixed C4319 warning with MSVC 2022 x86. 2025-12-24 11:41:43 -07:00
stream Stream: least_time balancer module 2026-05-04 21:19:40 +05:30