-
Committer:
mdounin
-
Date:
2012-03-15 11:41:43 UTC
-
Revision ID:
svn-v4:73f98a42-aea0-e011-b76d-00259023448c:branches/stable-1.0:4535
Merge of r4530, r4531: null character fixes.
*) Fixed incorrect ngx_cpystrn() usage in ngx_http_*_process_header().
This resulted in a disclosure of previously freed memory if upstream
server returned specially crafted response, potentially exposing
sensitive information.
Reported by Matthew Daley.
*) Headers with null character are now rejected.
Headers with NUL character aren't allowed by HTTP standard and may cause
various security problems. They are now unconditionally rejected.