Thanks!<br><br>This is new patch:<br><br>Index: src/http/modules/ngx_http_fastcgi_module.c<br>===================================================================<br>--- src/http/modules/ngx_http_fastcgi_module.c (revision 3937)<br>
+++ src/http/modules/ngx_http_fastcgi_module.c (working copy)<br>@@ -165,7 +165,10 @@<br> static char *ngx_http_fastcgi_lowat_check(ngx_conf_t *cf, void *post,<br> void *data);<br> <br>+static ngx_int_t ngx_http_fastcgi_ignored_header(ngx_table_elt_t **ignored,<br>
+ ngx_table_elt_t *header, ngx_uint_t header_params, ngx_uint_t allow_underscores)<br> <br>+<br> static ngx_conf_post_t ngx_http_fastcgi_lowat_post =<br> { ngx_http_fastcgi_lowat_check };<br> <br>@@ -685,6 +688,57 @@<br>
<br> <br> static ngx_int_t<br>+ngx_http_fastcgi_ignored_header(ngx_table_elt_t **ignored, ngx_table_elt_t *header,<br>+ ngx_uint_t header_params, ngx_uint_t allow_underscores)<br>+{<br>+ ngx_uint_t n, i, duplicate;<br>
+ ngx_table_elt_t *h;<br>+<br>+ for (n = 0; n < header_params; n++) {<br>+ h = ignored[n];<br>+<br>+ if (h == header) {<br>+ return NGX_OK;<br>+ }<br>+<br>+ if (header->key.len != h->key.len) {<br>
+ continue;<br>+ }<br>+<br>+ if (allow_underscores) {<br>+ duplicate = 1;<br>+<br>+ for (i = 0; i < header->key.len; i++) {<br>+<br>+ if (header->lowcase_key[i] != h->lowcase_key[i]) {<br>
+ if ((header->lowcase_key[i] == '_' && h->lowcase_key[i] == '-')<br>+ || (header->lowcase_key[i] == '-' && h->lowcase_key[i] == '_')) {<br>
+ continue;<br>+ }<br>+<br>+ duplicate = 0;<br>+ break;<br>+ }<br>+ }<br>+<br>+ if (duplicate) {<br>+ return NGX_OK;<br>
+ }<br>+<br>+ } else {<br>+<br>+ if (ngx_memcmp(header->lowcase_key, h->lowcase_key, header->key.len) == 0) {<br>+<br>+ return NGX_OK;<br>+ }<br>+ }<br>
+ }<br>+<br>+ return NGX_DECLINED;<br>+}<br>+<br>+<br>+static ngx_int_t<br> ngx_http_fastcgi_create_request(ngx_http_request_t *r)<br> {<br> off_t file_pos;<br>@@ -699,6 +753,7 @@<br> ngx_http_script_code_pt code;<br>
ngx_http_script_engine_t e, le;<br> ngx_http_fastcgi_header_t *h;<br>+ ngx_http_core_srv_conf_t *cscf;<br> ngx_http_fastcgi_loc_conf_t *flcf;<br> ngx_http_script_len_code_pt lcode;<br> <br>
@@ -707,6 +762,7 @@<br> ignored = NULL;<br> <br> flcf = ngx_http_get_module_loc_conf(r, ngx_http_fastcgi_module);<br>+ cscf = ngx_http_get_module_srv_conf(r, ngx_http_core_module);<br> <br> if (flcf->params_len) {<br>
ngx_memzero(&le, sizeof(ngx_http_script_engine_t));<br>@@ -784,6 +840,13 @@<br> }<br> <br> if (ngx_hash_find(&flcf->headers_hash, hash, lowcase_key, n)) {<br>+<br>+ if (header_params == flcf->header_params ||<br>
+ ngx_http_fastcgi_ignored_header(ignored, &header[i],<br>+ header_params, cscf->underscores_in_headers) == NGX_OK) {<br>+ continue;<br>+ }<br>
+<br> ignored[header_params++] = &header[i];<br> continue;<br> }<br>@@ -915,10 +978,9 @@<br> i = 0;<br> }<br> <br>- for (n = 0; n < header_params; n++) {<br>
- if (&header[i] == ignored[n]) {<br>- goto next;<br>- }<br>+ if (ngx_http_fastcgi_ignored_header(ignored, &header[i],<br>+ header_params, cscf->underscores_in_headers) == NGX_OK) {<br>
+ continue;<br> }<br> <br> key_len = sizeof("HTTP_") - 1 + header[i].key.len;<br>@@ -964,9 +1026,6 @@<br> "fastcgi param: \"%*s: %*s\"",<br>
key_len, b->last - (key_len + val_len),<br> val_len, b->last - val_len);<br>- next:<br>-<br>- continue;<br> }<br> }<br><br><br><br>
<div class="gmail_quote">On Thu, Jun 2, 2011 at 5:52 PM, Maxim Dounin <span dir="ltr"><<a href="mailto:mdounin@mdounin.ru">mdounin@mdounin.ru</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
Hello!<br>
<div class="im"><br>
On Thu, Jun 02, 2011 at 03:28:50PM +0800, Simon Liu wrote:<br>
<br>
> Thanks for your review.<br>
><br>
> this is new patch:<br>
<br>
</div>[...]<br>
<div class="im"><br>
> +static ngx_inline ngx_int_t<br>
> +ngx_http_fastcgi_ignored_header(ngx_table_elt_t **ignored, ngx_table_elt_t<br>
> *header, ngx_uint_t header_params)<br>
> +{<br>
> + ngx_uint_t n;<br>
> + ngx_table_elt_t *h;<br>
> +<br>
> + for (n = 0; n < header_params; n++) {<br>
> + h = ignored[n];<br>
> +<br>
> + if (header->key.len == h->key.len<br>
> + && ngx_memcmp(header->lowcase_key, h->lowcase_key,<br>
> header->key.len) == 0) {<br>
> +<br>
> + return NGX_OK;<br>
<br>
</div>This relies on lowcase_key of the first added header and the<br>
duplicate one to match, but it's may not be true, e.g.<br>
<br>
X-Blah-Blah<br>
X_Blah_Blah<br>
<br>
would have non-matching lowcase_key (but both should be ignored,<br>
as they both maps to HTTP_BLAH_BLAH fastcgi key). Request with<br>
such duplicate headers will cause the same buffer overflow as in<br>
the original bug (again, assuming underscores_in_headers is on).<br>
<div><div></div><div class="h5"><br>
Maxim Dounin<br>
<br>
_______________________________________________<br>
nginx-devel mailing list<br>
<a href="mailto:nginx-devel@nginx.org">nginx-devel@nginx.org</a><br>
<a href="http://nginx.org/mailman/listinfo/nginx-devel" target="_blank">http://nginx.org/mailman/listinfo/nginx-devel</a><br>
</div></div></blockquote></div><br><br clear="all"><br>-- <br>博观约取<br><br>豆瓣:<a href="http://www.douban.com/people/mustang/" target="_blank">www.douban.com/people/mustang/</a><br><br>blog: <a href="http://www.pagefault.info" target="_blank">www.pagefault.info</a><br>
<br>twitter: <a href="http://www.twitter.com/minibobo" target="_blank">www.twitter.com/minibobo</a><br><br>sina 微博: <a href="http://www.weibo.com/diaoliang" target="_blank">www.weibo.com/diaoliang</a><br><br>