diff options
author | Igor Sysoev <igor@sysoev.ru> | 2009-09-14 13:13:27 +0000 |
---|---|---|
committer | Jonathan Kolb <jon@b0g.us> | 2009-09-14 13:13:27 +0000 |
commit | 6dc552f6eaa0454716cd6dbccdf74e71f96fba5a (patch) | |
tree | 3371e87e6ce2dad726b9ea6a86f83a864976c7e1 | |
parent | 54ac043bb002bc99c210332a03a4bd67466f79ac (diff) | |
download | nginx-0.6.tar.gz |
*) Security: a segmentation fault might occur in worker process while
specially crafted request handling.
Thanks to Chris Ries.
*) Bugfix: a segmentation fault might occur in worker process, if
error_log was set to info or debug level.
Thanks to Sergey Bochenkov.
-rw-r--r-- | CHANGES | 19 | ||||
-rw-r--r-- | CHANGES.ru | 11 | ||||
-rw-r--r-- | src/core/nginx.h | 4 | ||||
-rw-r--r-- | src/http/modules/perl/nginx.pm | 2 | ||||
-rw-r--r-- | src/http/ngx_http_parse.c | 16 |
5 files changed, 39 insertions, 13 deletions
@@ -1,4 +1,15 @@ +Changes with nginx 0.6.39 14 Sep 2009 + + *) Security: a segmentation fault might occur in worker process while + specially crafted request handling. + Thanks to Chris Ries. + + *) Bugfix: a segmentation fault might occur in worker process, if + error_log was set to info or debug level. + Thanks to Sergey Bochenkov. + + Changes with nginx 0.6.38 22 Jun 2009 *) Feature: the "keepalive_requests" directive. @@ -1021,8 +1032,8 @@ Changes with nginx 0.5.12 12 Feb 2007 amd64, sparc, and ppc; the bug had appeared in 0.5.8. *) Bugfix: a segmentation fault might occur in worker process if the - temporarily files were used while working with FastCGI server; the - bug had appeared in 0.5.8. + temporary files were used while working with FastCGI server; the bug + had appeared in 0.5.8. *) Bugfix: a segmentation fault might occur in worker process if the $fastcgi_script_name variable was logged. @@ -1925,8 +1936,8 @@ Changes with nginx 0.3.31 10 Mar 2006 in 0.3.18. *) Bugfix: if the HTTPS protocol was used in the "proxy_pass" directive - and the request body was in temporarily file then the request was - not transferred. + and the request body was in temporary file then the request was not + transferred. *) Bugfix: perl 5.8.8 compatibility. diff --git a/CHANGES.ru b/CHANGES.ru index a4140596a..3a99158a1 100644 --- a/CHANGES.ru +++ b/CHANGES.ru @@ -1,4 +1,15 @@ +Изменения в nginx 0.6.39 14.09.2009 + + *) Безопасность: при обработке специально созданного запроса в рабочем + процессе мог произойти segmentation fault. + Спасибо Chris Ries. + + *) Исправление: при использовании error_log на уровне info или debug в + рабочем процессе мог произойти segmentation fault. + Спасибо Сергею Боченкову. + + Изменения в nginx 0.6.38 22.06.2009 *) Добавление: директива keepalive_requests. diff --git a/src/core/nginx.h b/src/core/nginx.h index f386edec5..1d023ce8e 100644 --- a/src/core/nginx.h +++ b/src/core/nginx.h @@ -8,8 +8,8 @@ #define _NGINX_H_INCLUDED_ -#define nginx_version 006038 -#define NGINX_VERSION "0.6.38" +#define nginx_version 006039 +#define NGINX_VERSION "0.6.39" #define NGINX_VER "nginx/" NGINX_VERSION #define NGINX_VAR "NGINX" diff --git a/src/http/modules/perl/nginx.pm b/src/http/modules/perl/nginx.pm index 95ef2f0dc..a63a3834f 100644 --- a/src/http/modules/perl/nginx.pm +++ b/src/http/modules/perl/nginx.pm @@ -47,7 +47,7 @@ our @EXPORT = qw( HTTP_INSUFFICIENT_STORAGE ); -our $VERSION = '0.6.38'; +our $VERSION = '0.6.39'; require XSLoader; XSLoader::load('nginx', $VERSION); diff --git a/src/http/ngx_http_parse.c b/src/http/ngx_http_parse.c index 7975361c4..87fda2b61 100644 --- a/src/http/ngx_http_parse.c +++ b/src/http/ngx_http_parse.c @@ -738,6 +738,7 @@ ngx_http_parse_header_line(ngx_http_request_t *r, ngx_buf_t *b) /* first char */ case sw_start: + r->header_name_start = p; r->invalid_header = 0; switch (ch) { @@ -750,7 +751,6 @@ ngx_http_parse_header_line(ngx_http_request_t *r, ngx_buf_t *b) goto header_done; default: state = sw_name; - r->header_name_start = p; c = lowcase[ch]; @@ -1123,11 +1123,15 @@ ngx_http_parse_complex_uri(ngx_http_request_t *r, ngx_uint_t merge_slashes) #endif case '/': state = sw_slash; - u -= 4; - if (u < r->uri.data) { - return NGX_HTTP_PARSE_INVALID_REQUEST; - } - while (*(u - 1) != '/') { + u -= 5; + for ( ;; ) { + if (u < r->uri.data) { + return NGX_HTTP_PARSE_INVALID_REQUEST; + } + if (*u == '/') { + u++; + break; + } u--; } break; |