Tolerate '\0' in URI when mapping URI to path.

If a rewritten URI has the null character, only a part of URI was
copied to a memory buffer allocated for path.  In some setups this
could be exploited to expose uninitialized memory via the Location
header.

diff --git a/src/http/ngx_http_core_module.c b/src/http/ngx_http_core_module.c
index aa03fd61739a6ea6f7c02f6c6420136504ccabf6..a603e09cea4f86b23a576f27a64a7f108bc6594d 100644 (file)
--- a/src/http/ngx_http_core_module.c
+++ b/src/http/ngx_http_core_module.c
@@ -1843,7 +1843,8 @@ ngx_http_map_uri_to_path(ngx_http_request_t *r, ngx_str_t *path,
         }
     }
 
-    last = ngx_cpystrn(last, r->uri.data + alias, r->uri.len - alias + 1);
+    last = ngx_copy(last, r->uri.data + alias, r->uri.len - alias);
+    *last = '\0';
 
     return last;
 }