Core: limited levels of subdirectory hierarchy used for temp files.

Similar to ngx_http_file_cache_set_slot(), the last component of file->name
with a fixed length of 10 bytes, as generated in ngx_create_temp_path(), is
used as a source for the names of intermediate subdirectories with each one
taking its own part.  Ensure that the sum of specified levels with slashes
fits into the length (ticket #731).

diff --git a/src/core/ngx_file.c b/src/core/ngx_file.c
index a8b07ecea98d7c454bd14af8f7266f29bdff2535..3ebd73d8b4e05bfafde550fd92379e56216327b2 100644 (file)
--- a/src/core/ngx_file.c
+++ b/src/core/ngx_file.c
@@ -372,6 +372,10 @@ ngx_conf_set_path_slot(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
         path->len += level + 1;
     }
 
+    if (path->len > 10 + i) {
+        return "invalid value";
+    }
+
     *slot = path;
 
     if (ngx_add_path(cf, slot) == NGX_ERROR) {