# HG changeset patch
# User Ruslan Ermilov <ru@nginx.com>
# Date 1576498741 -10800
# Node ID 02a539522be41da09e790e64decabd4e78d5b48f
# Parent  7aa20af4ac007333a995a63fa1723e0c39868f43
Tolerate '\0' in URI when mapping URI to path.

If a rewritten URI has the null character, only a part of URI was
copied to a memory buffer allocated for path.  In some setups this
could be exploited to expose uninitialized memory via the Location
header.

diff -r 7aa20af4ac00 -r 02a539522be4 src/http/ngx_http_core_module.c
--- a/src/http/ngx_http_core_module.c	Mon Dec 16 15:19:01 2019 +0300
+++ b/src/http/ngx_http_core_module.c	Mon Dec 16 15:19:01 2019 +0300
@@ -1843,7 +1843,8 @@
         }
     }
 
-    last = ngx_cpystrn(last, r->uri.data + alias, r->uri.len - alias + 1);
+    last = ngx_copy(last, r->uri.data + alias, r->uri.len - alias);
+    *last = '\0';
 
     return last;
 }