[PATCH 01 of 10] Rewrite: fixed incorrect escaping and possible segfault

Maxim Dounin mdounin at mdounin.ru
Sun May 17 00:12:34 UTC 2026 

# HG changeset patch
# User Maxim Dounin <mdounin at mdounin.ru>
# Date 1778971812 -10800
#      Sun May 17 01:50:12 2026 +0300
# Node ID 9aadc356492de0e61c8ee202c246c2353e8fbc83
# Parent  5fec4281a4931de7888a7994ff1bd7f6d7254fb7
Rewrite: fixed incorrect escaping and possible segfault.

Similarly to 4617:972642646f06, the following code resulted in incorrect
escaping of the $temp variable and possible segfault:

    location / {
        rewrite ^(.*) /uri?args;
        set $temp $1;
        return 200 "$temp";
    }

If there were arguments in rewrite's replacement string, the is_args
flag was set and never cleared.  This resulted in escaping being
incorrectly applied to positional captures evaluated after the rewrite
in the same script engine, notably in "set", "if", and "rewrite"
directives.  Additionally, in "set", "if", and "rewrite" with duplicate
captures or additional variables, the buffer was allocated without
escaping expected, so this also resulted in a buffer overrun and a
possible segfault (CVE-2026-42945).

The fix is to clear the is_args flag after rewrite evaluation in
ngx_http_script_regex_end_code(), similarly to how we clear e->quote
and e->args.

Additionally, to ensure that buffer allocation stays correct even if the
is_args flag is somehow set, e->is_args is now propagated to length
calculations in ngx_http_script_regex_start_code() and in
ngx_http_script_complex_value_code().

See also:
https://github.com/nginx/nginx/commit/2046b45aa0c6e712c216b9075886f3f26e9b4ca9

diff --git a/src/http/ngx_http_script.c b/src/http/ngx_http_script.c
--- a/src/http/ngx_http_script.c
+++ b/src/http/ngx_http_script.c
@@ -1161,6 +1161,7 @@ ngx_http_script_regex_start_code(ngx_htt
         le.line = e->line;
         le.request = r;
         le.quote = code->redirect;
+        le.is_args = e->is_args;
 
         len = 0;
 
@@ -1203,6 +1204,7 @@ ngx_http_script_regex_end_code(ngx_http_
     r = e->request;
 
     e->quote = 0;
+    e->is_args = 0;
 
     ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
                    "http script regex end");
@@ -1769,6 +1771,7 @@ ngx_http_script_complex_value_code(ngx_h
     le.line = e->line;
     le.request = e->request;
     le.quote = e->quote;
+    le.is_args = e->is_args;
 
     for (len = 0; *(uintptr_t *) le.ip; len += lcode(&le)) {
         lcode = *(ngx_http_script_len_code_pt *) le.ip;

More information about the nginx-devel mailing list