mirror
/
nginx
mirror of https://github.com/nginx/nginx
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Proxy: fixed segfault in URI change. 

If request URI was shorter than location prefix, as after replacement
with try_files, location length was used to copy the remaining URI part
leading to buffer overread.

The fix is to replace full request URI in this case.  In the following
configuration, request "/123" is changed to "/" when sent to backend.

    location /1234 {
        try_files /123 =404;
        proxy_pass http://127.0.0.1:8080/;
    }

Closes #983 on GitHub.
This commit is contained in:
Sergey Kandaurov 2025-11-24 15:57:09 +04:00 committed by Sergey Kandaurov
parent 6446f99107
commit bcb41c9193
1 changed files with 4 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
src/http/modules/ngx_http_proxy_module.c
View File

@ -1206,7 +1206,8 @@ ngx_http_proxy_create_key(ngx_http_request_t *r)
return NGX_OK; return NGX_OK;
} }
loc_len = (r->valid_location && ctx->vars.uri.len) ? plcf->location.len : 0; loc_len = (r->valid_location && ctx->vars.uri.len)
? ngx_min(plcf->location.len, r->uri.len) : 0;
if (r->quoted_uri || r->internal) { if (r->quoted_uri || r->internal) {
escape = 2 * ngx_escape_uri(NULL, r->uri.data + loc_len, escape = 2 * ngx_escape_uri(NULL, r->uri.data + loc_len,
@ -1318,8 +1319,8 @@ ngx_http_proxy_create_request(ngx_http_request_t *r)
uri_len = r->unparsed_uri.len; uri_len = r->unparsed_uri.len;
} else { } else {
loc_len = (r->valid_location && ctx->vars.uri.len) ? loc_len = (r->valid_location && ctx->vars.uri.len)
plcf->location.len : 0; ? ngx_min(plcf->location.len, r->uri.len) : 0;
if (r->quoted_uri || r->internal) { if (r->quoted_uri || r->internal) {
escape = 2 * ngx_escape_uri(NULL, r->uri.data + loc_len, escape = 2 * ngx_escape_uri(NULL, r->uri.data + loc_len,