From 524977e7c534e87e5b55739fa74601c9f1102686 Mon Sep 17 00:00:00 2001 From: Roman Arutyunyan Date: Wed, 22 Apr 2026 09:39:31 +0400 Subject: [PATCH] Rewrite: fixed escaping and possible buffer overrun The following code resulted in incorrect escaping of $1 and possible segfault: location / { rewrite ^(.*) /new?c=1; set $myvar $1; return 200 $myvar; } If there were arguments in a rewrite's replacement string, the is_args flag was set and incorrectly never cleared. This resulted in escaping applied to any captures evaluated afterwards in set or if. Additionally buffer was allocated by ngx_http_script_complex_value_code() without escaping expected, thus this also resulted in buffer overrun and possible segfault. A similar issue was fixed in 74d939974d43. Reported by Leo Lin. --- src/http/ngx_http_script.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/http/ngx_http_script.c b/src/http/ngx_http_script.c index a2b9f1b7bf..2ea6113735 100644 --- a/src/http/ngx_http_script.c +++ b/src/http/ngx_http_script.c @@ -1202,6 +1202,7 @@ ngx_http_script_regex_end_code(ngx_http_script_engine_t *e) r = e->request; + e->is_args = 0; e->quote = 0; ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, -- 2.53.0