Viewing all changes in revision 3353.
- Committer: mdounin
- Date: 2012-03-15 11:41:43 UTC
- Revision ID: svn-v4:73f98a42-aea0-e011-b76d-00259023448c:branches/stable-1.0:4535
Merge of r4530, r4531: null character fixes.
*) Fixed incorrect ngx_cpystrn() usage in ngx_http_*_process_header().
This resulted in a disclosure of previously freed memory if upstream
server returned specially crafted response, potentially exposing
sensitive information.
Reported by Matthew Daley.
*) Headers with null character are now rejected.
Headers with NUL character aren't allowed by HTTP standard and may cause
various security problems. They are now unconditionally rejected.
*) Fixed incorrect ngx_cpystrn() usage in ngx_http_*_process_header().
This resulted in a disclosure of previously freed memory if upstream
server returned specially crafted response, potentially exposing
sensitive information.
Reported by Matthew Daley.
*) Headers with null character are now rejected.
Headers with NUL character aren't allowed by HTTP standard and may cause
various security problems. They are now unconditionally rejected.
expand all
collapse all
added
removed
