diff --git a/0008-Dav-destination-length-validation-for-COPY-and-MOVE.patch b/0008-Dav-destination-length-validation-for-COPY-and-MOVE.patch new file mode 100644 index 0000000..615a70b --- /dev/null +++ b/0008-Dav-destination-length-validation-for-COPY-and-MOVE.patch @@ -0,0 +1,31 @@ +diff --git a/src/http/modules/ngx_http_dav_module.c b/src/http/modules/ngx_http_dav_module.c +index cfb9892..6bf438a 100644 +--- a/src/http/modules/ngx_http_dav_module.c ++++ b/src/http/modules/ngx_http_dav_module.c +@@ -548,6 +548,7 @@ ngx_http_dav_copy_move_handler(ngx_http_request_t *r) + ngx_ext_rename_file_t ext; + ngx_http_dav_copy_ctx_t copy; + ngx_http_dav_loc_conf_t *dlcf; ++ ngx_http_core_loc_conf_t *clcf; + + if (r->headers_in.content_length_n > 0 || r->headers_in.chunked) { + ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, +@@ -644,6 +645,18 @@ destination_done: + return NGX_HTTP_CONFLICT; + } + ++ clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module); ++ ++ if (clcf->alias ++ && clcf->alias != NGX_MAX_SIZE_T_VALUE ++ && duri.len < clcf->alias) ++ { ++ ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, ++ "client sent invalid \"Destination\" header: \"%V\"", ++ &dest->value); ++ return NGX_HTTP_BAD_REQUEST; ++ } ++ + depth = ngx_http_dav_depth(r, NGX_HTTP_DAV_INFINITY_DEPTH); + + if (depth != NGX_HTTP_DAV_INFINITY_DEPTH) { diff --git a/nginx.spec b/nginx.spec index 675c955..b139a93 100644 --- a/nginx.spec +++ b/nginx.spec @@ -118,6 +118,11 @@ Patch5: 0006-Clarify-binding-behavior-of-t-option.patch # upstream patch - https://github.com/nginx/nginx/commit/784fa05025cb8cd0c770f99bc79d2794b9f85b6e Patch6: 0007-Upstream-detect-premature-plain-text-response-from-S.patch +# https://redhat.atlassian.net/browse/RHEL-159548 +# upstream patch - https://github.com/nginx/nginx/commit/a1d18284e0a17 +# whitespace were removed from the patch +Patch7: 0008-Dav-destination-length-validation-for-COPY-and-MOVE.patch + BuildRequires: make BuildRequires: gcc BuildRequires: gnupg2