43 lines
1.3 KiB
Diff
43 lines
1.3 KiB
Diff
From 524977e7c534e87e5b55739fa74601c9f1102686 Mon Sep 17 00:00:00 2001
|
|
From: Roman Arutyunyan <arut@nginx.com>
|
|
Date: Wed, 22 Apr 2026 09:39:31 +0400
|
|
Subject: [PATCH] Rewrite: fixed escaping and possible buffer overrun
|
|
|
|
The following code resulted in incorrect escaping of $1 and possible
|
|
segfault:
|
|
|
|
location / {
|
|
rewrite ^(.*) /new?c=1;
|
|
set $myvar $1;
|
|
return 200 $myvar;
|
|
}
|
|
|
|
If there were arguments in a rewrite's replacement string, the is_args flag
|
|
was set and incorrectly never cleared. This resulted in escaping applied
|
|
to any captures evaluated afterwards in set or if. Additionally buffer was
|
|
allocated by ngx_http_script_complex_value_code() without escaping expected,
|
|
thus this also resulted in buffer overrun and possible segfault.
|
|
|
|
A similar issue was fixed in 74d939974d43.
|
|
|
|
Reported by Leo Lin.
|
|
---
|
|
src/http/ngx_http_script.c | 1 +
|
|
1 file changed, 1 insertion(+)
|
|
|
|
diff --git a/src/http/ngx_http_script.c b/src/http/ngx_http_script.c
|
|
index a2b9f1b7bf..2ea6113735 100644
|
|
--- a/src/http/ngx_http_script.c
|
|
+++ b/src/http/ngx_http_script.c
|
|
@@ -1202,6 +1202,7 @@ ngx_http_script_regex_end_code(ngx_http_script_engine_t *e)
|
|
|
|
r = e->request;
|
|
|
|
+ e->is_args = 0;
|
|
e->quote = 0;
|
|
|
|
ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
|
|
--
|
|
2.53.0
|
|
|