[nginx] Rewrite: fixed incorrect escaping and possible segfault.

Tue May 19 02:46:30 UTC 2026

details:   http://freenginx.org/hg/nginx/rev/dc7cfc0037b8
branches:  
changeset: 9517:dc7cfc0037b8
user:      Maxim Dounin <mdounin at mdounin.ru>
date:      Tue May 19 01:56:22 2026 +0300
description:
Rewrite: fixed incorrect escaping and possible segfault.

Similarly to 4617:972642646f06, the following code resulted in incorrect
escaping of the $temp variable and possible segfault:

    location / {
        rewrite ^(.*) /uri?args;
        set $temp $1;
        return 200 "$temp";
    }

If there were arguments in rewrite's replacement string, the is_args
flag was set and never cleared.  This resulted in escaping being
incorrectly applied to positional captures evaluated after the rewrite
in the same script engine, notably in "set", "if", and "rewrite"
directives.  Additionally, in "set", "if", and "rewrite" with duplicate
captures or additional variables, the buffer was allocated without
escaping expected, so this also resulted in a buffer overrun and a
possible segfault (CVE-2026-42945).

The fix is to clear the is_args flag after rewrite evaluation in
ngx_http_script_regex_end_code(), similarly to how we clear e->quote
and e->args.

Additionally, to ensure that buffer allocation stays correct even if the
is_args flag is somehow set, e->is_args is now propagated to length
calculations in ngx_http_script_regex_start_code() and in
ngx_http_script_complex_value_code().

See also:
https://github.com/nginx/nginx/commit/2046b45aa0c6e712c216b9075886f3f26e9b4ca9

diffstat:

 src/http/ngx_http_script.c |  3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

diffs (27 lines):

diff --git a/src/http/ngx_http_script.c b/src/http/ngx_http_script.c
--- a/src/http/ngx_http_script.c
+++ b/src/http/ngx_http_script.c
@@ -1161,6 +1161,7 @@ ngx_http_script_regex_start_code(ngx_htt
         le.line = e->line;
         le.request = r;
         le.quote = code->redirect;
+        le.is_args = e->is_args;
 
         len = 0;
 
@@ -1203,6 +1204,7 @@ ngx_http_script_regex_end_code(ngx_http_
     r = e->request;
 
     e->quote = 0;
+    e->is_args = 0;
 
     ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
                    "http script regex end");
@@ -1769,6 +1771,7 @@ ngx_http_script_complex_value_code(ngx_h
     le.line = e->line;
     le.request = e->request;
     le.quote = e->quote;
+    le.is_args = e->is_args;
 
     for (len = 0; *(uintptr_t *) le.ip; len += lcode(&le)) {
         lcode = *(ngx_http_script_len_code_pt *) le.ip;
