diff options
| author | Igor Sysoev <igor@sysoev.ru> | 2009-09-14 13:17:53 +0000 |
|---|---|---|
| committer | Jonathan Kolb <jon@b0g.us> | 2009-09-14 13:17:53 +0000 |
| commit | 3ce4dadff2fea7a5ffb40809ff4ea7b4984218b7 (patch) | |
| tree | abc64b864842c5e7f168e60b8c7e88813707538a | |
| parent | 8863dd8559a49fd8a748aa5f37b03c45e369436f (diff) | |
| download | nginx-0.5.tar.gz | |
*) Security: a segmentation fault might occur in worker process while
specially crafted request handling.
Thanks to Chris Ries.
*) Bugfix: a segmentation fault might occur in worker process, if
error_log was set to info or debug level.
Thanks to Sergey Bochenkov.
| -rw-r--r-- | CHANGES | 25 | ||||
| -rw-r--r-- | CHANGES.ru | 13 | ||||
| -rw-r--r-- | src/core/nginx.h | 2 | ||||
| -rw-r--r-- | src/http/modules/perl/nginx.pm | 2 | ||||
| -rw-r--r-- | src/http/ngx_http_parse.c | 16 |
5 files changed, 42 insertions, 16 deletions
@@ -1,4 +1,15 @@ +Changes with nginx 0.5.38 14 Sep 2009 + + *) Security: a segmentation fault might occur in worker process while + specially crafted request handling. + Thanks to Chris Ries. + + *) Bugfix: a segmentation fault might occur in worker process, if + error_log was set to info or debug level. + Thanks to Sergey Bochenkov. + + Changes with nginx 0.5.37 07 Jul 2008 *) Bugfix: if sub_filter and SSI were used together, then responses @@ -532,8 +543,8 @@ Changes with nginx 0.5.12 12 Feb 2007 amd64, sparc, and ppc; the bug had appeared in 0.5.8. *) Bugfix: a segmentation fault might occur in worker process if the - temporarily files were used while working with FastCGI server; the - bug had appeared in 0.5.8. + temporary files were used while working with FastCGI server; the bug + had appeared in 0.5.8. *) Bugfix: a segmentation fault might occur in worker process if the $fastcgi_script_name variable was logged. @@ -1075,7 +1086,7 @@ Changes with nginx 0.3.55 28 Jul 2006 *) Bugfix: if the request contained "//" or "/./" and escaped symbols after them, then the proxied request was sent unescaped. - *) Bugfix: the $r->headers_in("Cookie") of the ngx_http_perl_module now + *) Bugfix: the $r->header_in("Cookie") of the ngx_http_perl_module now returns all "Cookie" header lines. *) Bugfix: a segmentation fault occurred if @@ -1436,8 +1447,8 @@ Changes with nginx 0.3.31 10 Mar 2006 in 0.3.18. *) Bugfix: if the HTTPS protocol was used in the "proxy_pass" directive - and the request body was in temporarily file then the request was - not transferred. + and the request body was in temporary file then the request was not + transferred. *) Bugfix: perl 5.8.8 compatibility. @@ -2589,8 +2600,8 @@ Changes with nginx 0.1.18 09 Feb 2005 *) Bugfix: the proxy_set_x_var and fastcgi_set_var directives were not inherited. - *) Bugfix: in the redirect rewrite directive the arguments were - concatenated with URI by the "&" rather than the "?". + *) Bugfix: in a redirect rewrite directive arguments were concatenated + with URI by an "&" rather than a "?". *) Bugfix: the lines without trailing ";" in the file being included by the ngx_http_geo_module were silently ignored. diff --git a/CHANGES.ru b/CHANGES.ru index d6882379d..6cc7049d1 100644 --- a/CHANGES.ru +++ b/CHANGES.ru @@ -1,4 +1,15 @@ +Изменения в nginx 0.5.38 14.09.2009 + + *) Безопасность: при обработке специально созданного запроса в рабочем + процессе мог произойти segmentation fault. + Спасибо Chris Ries. + + *) Исправление: при использовании error_log на уровне info или debug в + рабочем процессе мог произойти segmentation fault. + Спасибо Сергею Боченкову. + + Изменения в nginx 0.5.37 07.07.2008 *) Исправление: при совместном использовании sub_filter и SSI ответы @@ -1097,7 +1108,7 @@ закодированные символы в виде "%XX", то проксируемый запрос передавался незакодированным. - *) Исправление: метод $r->headers_in("Cookie") модуля + *) Исправление: метод $r->header_in("Cookie") модуля ngx_http_perl_module теперь возвращает все строки "Cookie" в заголовке запроса. diff --git a/src/core/nginx.h b/src/core/nginx.h index bba9e751b..0ac7ea028 100644 --- a/src/core/nginx.h +++ b/src/core/nginx.h @@ -8,7 +8,7 @@ #define _NGINX_H_INCLUDED_ -#define NGINX_VERSION "0.5.37" +#define NGINX_VERSION "0.5.38" #define NGINX_VER "nginx/" NGINX_VERSION #define NGINX_VAR "NGINX" diff --git a/src/http/modules/perl/nginx.pm b/src/http/modules/perl/nginx.pm index c68b479b8..b2c7ff578 100644 --- a/src/http/modules/perl/nginx.pm +++ b/src/http/modules/perl/nginx.pm @@ -47,7 +47,7 @@ our @EXPORT = qw( HTTP_INSUFFICIENT_STORAGE ); -our $VERSION = '0.5.37'; +our $VERSION = '0.5.38'; require XSLoader; XSLoader::load('nginx', $VERSION); diff --git a/src/http/ngx_http_parse.c b/src/http/ngx_http_parse.c index b83810d2e..5d089302b 100644 --- a/src/http/ngx_http_parse.c +++ b/src/http/ngx_http_parse.c @@ -738,6 +738,7 @@ ngx_http_parse_header_line(ngx_http_request_t *r, ngx_buf_t *b) /* first char */ case sw_start: + r->header_name_start = p; r->invalid_header = 0; switch (ch) { @@ -750,7 +751,6 @@ ngx_http_parse_header_line(ngx_http_request_t *r, ngx_buf_t *b) goto header_done; default: state = sw_name; - r->header_name_start = p; c = lowcase[ch]; @@ -1123,11 +1123,15 @@ ngx_http_parse_complex_uri(ngx_http_request_t *r, ngx_uint_t merge_slashes) #endif case '/': state = sw_slash; - u -= 4; - if (u < r->uri.data) { - return NGX_HTTP_PARSE_INVALID_REQUEST; - } - while (*(u - 1) != '/') { + u -= 5; + for ( ;; ) { + if (u < r->uri.data) { + return NGX_HTTP_PARSE_INVALID_REQUEST; + } + if (*u == '/') { + u++; + break; + } u--; } break; |