Klaus Demo nginx / 030e235
Fixed ssi and perl interaction. Embedded perl module assumes there is a space for terminating NUL character, make sure to provide it in all situations by allocating one extra byte for value buffer. Default ssi_value_length is reduced accordingly to preserve 256 byte allocations. While here, fixed another one byte value buffer overrun possible in ssi_quoted_symbol_state. Reported by Matthew Daley. Maxim Dounin 10 years ago
1 changed file(s) with 12 addition(s) and 2 deletion(s). Raw diff Collapse all Expand all
12031203
12041204 if (ctx->value_buf == NULL) {
12051205 ctx->param->value.data = ngx_pnalloc(r->pool,
1206 ctx->value_len);
1206 ctx->value_len + 1);
12071207 if (ctx->param->value.data == NULL) {
12081208 return NGX_ERROR;
12091209 }
13731373
13741374 case ssi_quoted_symbol_state:
13751375 state = ctx->saved_state;
1376
1377 if (ctx->param->value.len == ctx->value_len) {
1378 ngx_log_error(NGX_LOG_ERR, r->connection->log, 0,
1379 "too long \"%V%c...\" value of \"%V\" "
1380 "parameter in \"%V\" SSI command",
1381 &ctx->param->value, ch, &ctx->param->key,
1382 &ctx->command);
1383 state = ssi_error_state;
1384 break;
1385 }
13761386
13771387 ctx->param->value.data[ctx->param->value.len++] = ch;
13781388
28852895 prev->ignore_recycled_buffers, 0);
28862896
28872897 ngx_conf_merge_size_value(conf->min_file_chunk, prev->min_file_chunk, 1024);
2888 ngx_conf_merge_size_value(conf->value_len, prev->value_len, 256);
2898 ngx_conf_merge_size_value(conf->value_len, prev->value_len, 255);
28892899
28902900 if (ngx_http_merge_types(cf, &conf->types_keys, &conf->types,
28912901 &prev->types_keys, &prev->types,