Mercurial > hg > nginx
comparison src/http/ngx_http_variables.c @ 6263:48c13a0824c5
Fixed variables prefix comparison.
Variable names are not null-terminated, so using ngx_strncmp() without
extra length checks is wrong.
Reported by Markus Linnala,
http://mailman.nginx.org/pipermail/nginx-devel/2015-August/007211.html.
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Mon, 19 Oct 2015 21:28:17 +0300 |
parents | a08fad30aeac |
children | 3ef7bb882ad4 |
comparison
equal
deleted
inserted
replaced
6262:1063097b22b6 | 6263:48c13a0824c5 |
---|---|
573 vv = ngx_palloc(r->pool, sizeof(ngx_http_variable_value_t)); | 573 vv = ngx_palloc(r->pool, sizeof(ngx_http_variable_value_t)); |
574 if (vv == NULL) { | 574 if (vv == NULL) { |
575 return NULL; | 575 return NULL; |
576 } | 576 } |
577 | 577 |
578 if (ngx_strncmp(name->data, "http_", 5) == 0) { | 578 if (name->len >= 5 && ngx_strncmp(name->data, "http_", 5) == 0) { |
579 | 579 |
580 if (ngx_http_variable_unknown_header_in(r, vv, (uintptr_t) name) | 580 if (ngx_http_variable_unknown_header_in(r, vv, (uintptr_t) name) |
581 == NGX_OK) | 581 == NGX_OK) |
582 { | 582 { |
583 return vv; | 583 return vv; |
584 } | 584 } |
585 | 585 |
586 return NULL; | 586 return NULL; |
587 } | 587 } |
588 | 588 |
589 if (ngx_strncmp(name->data, "sent_http_", 10) == 0) { | 589 if (name->len >= 10 && ngx_strncmp(name->data, "sent_http_", 10) == 0) { |
590 | 590 |
591 if (ngx_http_variable_unknown_header_out(r, vv, (uintptr_t) name) | 591 if (ngx_http_variable_unknown_header_out(r, vv, (uintptr_t) name) |
592 == NGX_OK) | 592 == NGX_OK) |
593 { | 593 { |
594 return vv; | 594 return vv; |
595 } | 595 } |
596 | 596 |
597 return NULL; | 597 return NULL; |
598 } | 598 } |
599 | 599 |
600 if (ngx_strncmp(name->data, "upstream_http_", 14) == 0) { | 600 if (name->len >= 14 && ngx_strncmp(name->data, "upstream_http_", 14) == 0) { |
601 | 601 |
602 if (ngx_http_upstream_header_variable(r, vv, (uintptr_t) name) | 602 if (ngx_http_upstream_header_variable(r, vv, (uintptr_t) name) |
603 == NGX_OK) | 603 == NGX_OK) |
604 { | 604 { |
605 return vv; | 605 return vv; |
606 } | 606 } |
607 | 607 |
608 return NULL; | 608 return NULL; |
609 } | 609 } |
610 | 610 |
611 if (ngx_strncmp(name->data, "cookie_", 7) == 0) { | 611 if (name->len >= 7 && ngx_strncmp(name->data, "cookie_", 7) == 0) { |
612 | 612 |
613 if (ngx_http_variable_cookie(r, vv, (uintptr_t) name) == NGX_OK) { | 613 if (ngx_http_variable_cookie(r, vv, (uintptr_t) name) == NGX_OK) { |
614 return vv; | 614 return vv; |
615 } | 615 } |
616 | 616 |
617 return NULL; | 617 return NULL; |
618 } | 618 } |
619 | 619 |
620 if (ngx_strncmp(name->data, "upstream_cookie_", 16) == 0) { | 620 if (name->len >= 16 |
621 && ngx_strncmp(name->data, "upstream_cookie_", 16) == 0) | |
622 { | |
621 | 623 |
622 if (ngx_http_upstream_cookie_variable(r, vv, (uintptr_t) name) | 624 if (ngx_http_upstream_cookie_variable(r, vv, (uintptr_t) name) |
623 == NGX_OK) | 625 == NGX_OK) |
624 { | 626 { |
625 return vv; | 627 return vv; |
626 } | 628 } |
627 | 629 |
628 return NULL; | 630 return NULL; |
629 } | 631 } |
630 | 632 |
631 if (ngx_strncmp(name->data, "arg_", 4) == 0) { | 633 if (name->len >= 4 && ngx_strncmp(name->data, "arg_", 4) == 0) { |
632 | 634 |
633 if (ngx_http_variable_argument(r, vv, (uintptr_t) name) == NGX_OK) { | 635 if (ngx_http_variable_argument(r, vv, (uintptr_t) name) == NGX_OK) { |
634 return vv; | 636 return vv; |
635 } | 637 } |
636 | 638 |
2533 | 2535 |
2534 goto next; | 2536 goto next; |
2535 } | 2537 } |
2536 } | 2538 } |
2537 | 2539 |
2538 if (ngx_strncmp(v[i].name.data, "http_", 5) == 0) { | 2540 if (v[i].name.len >= 5 |
2541 && ngx_strncmp(v[i].name.data, "http_", 5) == 0) | |
2542 { | |
2539 v[i].get_handler = ngx_http_variable_unknown_header_in; | 2543 v[i].get_handler = ngx_http_variable_unknown_header_in; |
2540 v[i].data = (uintptr_t) &v[i].name; | 2544 v[i].data = (uintptr_t) &v[i].name; |
2541 | 2545 |
2542 continue; | 2546 continue; |
2543 } | 2547 } |
2544 | 2548 |
2545 if (ngx_strncmp(v[i].name.data, "sent_http_", 10) == 0) { | 2549 if (v[i].name.len >= 10 |
2550 && ngx_strncmp(v[i].name.data, "sent_http_", 10) == 0) | |
2551 { | |
2546 v[i].get_handler = ngx_http_variable_unknown_header_out; | 2552 v[i].get_handler = ngx_http_variable_unknown_header_out; |
2547 v[i].data = (uintptr_t) &v[i].name; | 2553 v[i].data = (uintptr_t) &v[i].name; |
2548 | 2554 |
2549 continue; | 2555 continue; |
2550 } | 2556 } |
2551 | 2557 |
2552 if (ngx_strncmp(v[i].name.data, "upstream_http_", 14) == 0) { | 2558 if (v[i].name.len >= 14 |
2559 && ngx_strncmp(v[i].name.data, "upstream_http_", 14) == 0) | |
2560 { | |
2553 v[i].get_handler = ngx_http_upstream_header_variable; | 2561 v[i].get_handler = ngx_http_upstream_header_variable; |
2554 v[i].data = (uintptr_t) &v[i].name; | 2562 v[i].data = (uintptr_t) &v[i].name; |
2555 v[i].flags = NGX_HTTP_VAR_NOCACHEABLE; | 2563 v[i].flags = NGX_HTTP_VAR_NOCACHEABLE; |
2556 | 2564 |
2557 continue; | 2565 continue; |
2558 } | 2566 } |
2559 | 2567 |
2560 if (ngx_strncmp(v[i].name.data, "cookie_", 7) == 0) { | 2568 if (v[i].name.len >= 7 |
2569 && ngx_strncmp(v[i].name.data, "cookie_", 7) == 0) | |
2570 { | |
2561 v[i].get_handler = ngx_http_variable_cookie; | 2571 v[i].get_handler = ngx_http_variable_cookie; |
2562 v[i].data = (uintptr_t) &v[i].name; | 2572 v[i].data = (uintptr_t) &v[i].name; |
2563 | 2573 |
2564 continue; | 2574 continue; |
2565 } | 2575 } |
2566 | 2576 |
2567 if (ngx_strncmp(v[i].name.data, "upstream_cookie_", 16) == 0) { | 2577 if (v[i].name.len >= 16 |
2578 && ngx_strncmp(v[i].name.data, "upstream_cookie_", 16) == 0) | |
2579 { | |
2568 v[i].get_handler = ngx_http_upstream_cookie_variable; | 2580 v[i].get_handler = ngx_http_upstream_cookie_variable; |
2569 v[i].data = (uintptr_t) &v[i].name; | 2581 v[i].data = (uintptr_t) &v[i].name; |
2570 v[i].flags = NGX_HTTP_VAR_NOCACHEABLE; | 2582 v[i].flags = NGX_HTTP_VAR_NOCACHEABLE; |
2571 | 2583 |
2572 continue; | 2584 continue; |
2573 } | 2585 } |
2574 | 2586 |
2575 if (ngx_strncmp(v[i].name.data, "arg_", 4) == 0) { | 2587 if (v[i].name.len >= 4 |
2588 && ngx_strncmp(v[i].name.data, "arg_", 4) == 0) | |
2589 { | |
2576 v[i].get_handler = ngx_http_variable_argument; | 2590 v[i].get_handler = ngx_http_variable_argument; |
2577 v[i].data = (uintptr_t) &v[i].name; | 2591 v[i].data = (uintptr_t) &v[i].name; |
2578 v[i].flags = NGX_HTTP_VAR_NOCACHEABLE; | 2592 v[i].flags = NGX_HTTP_VAR_NOCACHEABLE; |
2579 | 2593 |
2580 continue; | 2594 continue; |