From 7cdcb022dcac0e254647d8a66cc1593dff9c4c1a Mon Sep 17 00:00:00 2001 From: Thibault Charbonnier Date: Fri, 20 Mar 2020 12:05:24 -0700 Subject: [PATCH] bugfix: applied the safe_map_uri_to_path patch to NGINX. --- .../nginx-1.15.8-safe_map_uri_to_path.patch | 26 +++++++++++++++++++ util/mirror-tarballs | 7 +++++ 2 files changed, 33 insertions(+) create mode 100644 patches/nginx-1.15.8-safe_map_uri_to_path.patch diff --git a/patches/nginx-1.15.8-safe_map_uri_to_path.patch b/patches/nginx-1.15.8-safe_map_uri_to_path.patch new file mode 100644 index 0000000..3e46473 --- /dev/null +++ b/patches/nginx-1.15.8-safe_map_uri_to_path.patch @@ -0,0 +1,26 @@ +commit a5895eb502747f396d3901a948834cd87d5fb0c3 +Author: Ruslan Ermilov +Date: Mon Dec 16 15:19:01 2019 +0300 + + Tolerate '\0' in URI when mapping URI to path. + + If a rewritten URI has the null character, only a part of URI was + copied to a memory buffer allocated for path. In some setups this + could be exploited to expose uninitialized memory via the Location + header. + +diff --git a/src/http/ngx_http_core_module.c b/src/http/ngx_http_core_module.c +index aa03fd61..a603e09c 100644 +--- a/src/http/ngx_http_core_module.c ++++ b/src/http/ngx_http_core_module.c +@@ -1843,7 +1843,8 @@ ngx_http_map_uri_to_path(ngx_http_request_t *r, ngx_str_t *path, + } + } + +- last = ngx_cpystrn(last, r->uri.data + alias, r->uri.len - alias + 1); ++ last = ngx_copy(last, r->uri.data + alias, r->uri.len - alias); ++ *last = '\0'; + + return last; + } + diff --git a/util/mirror-tarballs b/util/mirror-tarballs index f50472a..695b1f1 100755 --- a/util/mirror-tarballs +++ b/util/mirror-tarballs @@ -419,6 +419,13 @@ if [ "$answer" = "Y" ]; then fi fi +answer=`$root/util/ver-ge "$main_ver" 1.17.7` +if [ "$answer" = "N" ]; then + echo "$info_txt applying the safe_map_uri_to_path patch to nginx" + patch -p1 < $root/patches/nginx-$main_ver-safe_map_uri_to_path.patch || exit 1 + echo +fi + rm -f *.patch || exit 1 echo "$info_txt applying the always_enable_cc_feature_tests patch to nginx"