bugfix: ngx_http_static_module: the 'Locatoin' response header value was not properly encoded by URI rules.

This may impose security vulnerabilities for Location values from untrusted sources. The corresponding tests are in the lua-nginx-module repo.
2020-06-24 12:58:36 +08:00 · 2020-06-24 12:58:36 +08:00 · 6985198d46
parent 4568281eaf
commit 6985198d46
2 changed files with 57 additions and 0 deletions
--- a/patches/nginx-1.17.8-static_mod_escape_loc_hdr.patch
+++ b/patches/nginx-1.17.8-static_mod_escape_loc_hdr.patch
@ -0,0 +1,50 @@
+diff --git a/src/http/modules/ngx_http_static_module.c b/src/http/modules/ngx_http_static_module.c
+index 282d6ee..899e11e 100644
+--- a/src/http/modules/ngx_http_static_module.c
+++ b/src/http/modules/ngx_http_static_module.c
+@@ -58,6 +58,8 @@ ngx_http_static_handler(ngx_http_request_t *r)
+     ngx_chain_t                out;
+     ngx_open_file_info_t       of;
+     ngx_http_core_loc_conf_t  *clcf;
+    u_char                    *uri;
+    uintptr_t                  escape;
+ 
+     if (!(r->method & (NGX_HTTP_GET|NGX_HTTP_HEAD|NGX_HTTP_POST))) {
+         return NGX_HTTP_NOT_ALLOWED;
+@@ -162,9 +164,21 @@ ngx_http_static_handler(ngx_http_request_t *r)
+ 
+             *last = '/';
+ 
+            escape = 2 * ngx_escape_uri(NULL, location, len, NGX_ESCAPE_URI);
+            if (escape > 0) {
+                uri = ngx_pnalloc(r->pool, len + escape);
+                if (uri == NULL) {
+                   return NGX_ERROR;
+                }
+                ngx_escape_uri(uri, location, len, NGX_ESCAPE_URI);
+                location = uri;
+                len += escape;
+            }
+
+         } else {
+            escape = 2 * ngx_escape_uri(NULL, r->uri.data, r->uri.len, NGX_ESCAPE_URI);
+             if (r->args.len) {
+-                len += r->args.len + 1;
+                len += r->args.len + 1 + escape;
+             }
+ 
+             location = ngx_pnalloc(r->pool, len);
+@@ -173,7 +187,12 @@ ngx_http_static_handler(ngx_http_request_t *r)
+                 return NGX_HTTP_INTERNAL_SERVER_ERROR;
+             }
+ 
+-            last = ngx_copy(location, r->uri.data, r->uri.len);
+            if (escape > 0) {
+                last = (u_char *) ngx_escape_uri(location, r->uri.data, r->uri.len, NGX_ESCAPE_URI);
+
+            } else {
+                last = ngx_copy(location, r->uri.data, r->uri.len);
+            }
+ 
+             *last = '/';
+ 
--- a/util/mirror-tarballs
+++ b/util/mirror-tarballs
@ -443,6 +443,13 @@ fi

 rm -f *.patch || exit 1

+answer=`$root/util/ver-ge "$main_ver" 1.17.8`
+if [ "$answer" = "Y" ]; then
+    echo "$info_txt applying the patch for nginx security issue https://hackerone.com/reports/513236"
+    patch -p1 < $root/patches/nginx-$main_ver-static_mod_escape_loc_hdr.patch
+    echo
+fi
+
 echo "$info_txt applying the always_enable_cc_feature_tests patch to nginx"
 patch -p1 < $root/patches/nginx-$main_ver-always_enable_cc_feature_tests.patch
 echo