bugfix: ngx_http_static_module: the 'Locatoin' response header value was not properly encoded by URI rules.
This may impose security vulnerabilities for Location values from untrusted sources. The corresponding tests are in the lua-nginx-module repo.
This commit is contained in:
lijunlong
Yichun Zhang (agentzh)
parent
4568281eaf
commit
6985198d46
|
|
@ -0,0 +1,50 @@
|
||||||
|
diff --git a/src/http/modules/ngx_http_static_module.c b/src/http/modules/ngx_http_static_module.c
|
||||||
|
index 282d6ee..899e11e 100644
|
||||||
|
--- a/src/http/modules/ngx_http_static_module.c
|
||||||
|
+++ b/src/http/modules/ngx_http_static_module.c
|
||||||
|
@@ -58,6 +58,8 @@ ngx_http_static_handler(ngx_http_request_t *r)
|
||||||
|
ngx_chain_t out;
|
||||||
|
ngx_open_file_info_t of;
|
||||||
|
ngx_http_core_loc_conf_t *clcf;
|
||||||
|
+ u_char *uri;
|
||||||
|
+ uintptr_t escape;
|
||||||
|
|
||||||
|
if (!(r->method & (NGX_HTTP_GET|NGX_HTTP_HEAD|NGX_HTTP_POST))) {
|
||||||
|
return NGX_HTTP_NOT_ALLOWED;
|
||||||
|
@@ -162,9 +164,21 @@ ngx_http_static_handler(ngx_http_request_t *r)
|
||||||
|
|
||||||
|
*last = '/';
|
||||||
|
|
||||||
|
+ escape = 2 * ngx_escape_uri(NULL, location, len, NGX_ESCAPE_URI);
|
||||||
|
+ if (escape > 0) {
|
||||||
|
+ uri = ngx_pnalloc(r->pool, len + escape);
|
||||||
|
+ if (uri == NULL) {
|
||||||
|
+ return NGX_ERROR;
|
||||||
|
+ }
|
||||||
|
+ ngx_escape_uri(uri, location, len, NGX_ESCAPE_URI);
|
||||||
|
+ location = uri;
|
||||||
|
+ len += escape;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
} else {
|
||||||
|
+ escape = 2 * ngx_escape_uri(NULL, r->uri.data, r->uri.len, NGX_ESCAPE_URI);
|
||||||
|
if (r->args.len) {
|
||||||
|
- len += r->args.len + 1;
|
||||||
|
+ len += r->args.len + 1 + escape;
|
||||||
|
}
|
||||||
|
|
||||||
|
location = ngx_pnalloc(r->pool, len);
|
||||||
|
@@ -173,7 +187,12 @@ ngx_http_static_handler(ngx_http_request_t *r)
|
||||||
|
return NGX_HTTP_INTERNAL_SERVER_ERROR;
|
||||||
|
}
|
||||||
|
|
||||||
|
- last = ngx_copy(location, r->uri.data, r->uri.len);
|
||||||
|
+ if (escape > 0) {
|
||||||
|
+ last = (u_char *) ngx_escape_uri(location, r->uri.data, r->uri.len, NGX_ESCAPE_URI);
|
||||||
|
+
|
||||||
|
+ } else {
|
||||||
|
+ last = ngx_copy(location, r->uri.data, r->uri.len);
|
||||||
|
+ }
|
||||||
|
|
||||||
|
*last = '/';
|
||||||
|
|
||||||
|
|
@ -443,6 +443,13 @@ fi
|
||||||
|
|
||||||
rm -f *.patch || exit 1
|
rm -f *.patch || exit 1
|
||||||
|
|
||||||
|
answer=`$root/util/ver-ge "$main_ver" 1.17.8`
|
||||||
|
if [ "$answer" = "Y" ]; then
|
||||||
|
echo "$info_txt applying the patch for nginx security issue https://hackerone.com/reports/513236"
|
||||||
|
patch -p1 < $root/patches/nginx-$main_ver-static_mod_escape_loc_hdr.patch
|
||||||
|
echo
|
||||||
|
fi
|
||||||
|
|
||||||
echo "$info_txt applying the always_enable_cc_feature_tests patch to nginx"
|
echo "$info_txt applying the always_enable_cc_feature_tests patch to nginx"
|
||||||
patch -p1 < $root/patches/nginx-$main_ver-always_enable_cc_feature_tests.patch
|
patch -p1 < $root/patches/nginx-$main_ver-always_enable_cc_feature_tests.patch
|
||||||
echo
|
echo
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue