From: Ruslan Ermilov <ru@nginx.com>
Date: Mon, 16 Dec 2019 12:19:01 +0000 (+0300)
Subject: Tolerate '\0' in URI when mapping URI to path.
X-Git-Tag: release-1.17.7~8
X-Git-Url: http://www.kaiwu.me/postgresql/commit/static/gitweb.js?a=commitdiff_plain;h=a5895eb502747f396d3901a948834cd87d5fb0c3;p=nginx.git

Tolerate '\0' in URI when mapping URI to path.

If a rewritten URI has the null character, only a part of URI was
copied to a memory buffer allocated for path.  In some setups this
could be exploited to expose uninitialized memory via the Location
header.
---

diff --git a/src/http/ngx_http_core_module.c b/src/http/ngx_http_core_module.c
index aa03fd617..a603e09ce 100644
--- a/src/http/ngx_http_core_module.c
+++ b/src/http/ngx_http_core_module.c
@@ -1843,7 +1843,8 @@ ngx_http_map_uri_to_path(ngx_http_request_t *r, ngx_str_t *path,
         }
     }
 
-    last = ngx_cpystrn(last, r->uri.data + alias, r->uri.len - alias + 1);
+    last = ngx_copy(last, r->uri.data + alias, r->uri.len - alias);
+    *last = '\0';
 
     return last;
 }