Closed max-lt closed 3 years ago
@fitzyjoe is there any update on this? It seems like a trivial fix, and I think this might be able to be exploited as an out of bounds read vulnerability. I can submit a PR if you'd like.
@fitzyjoe Can you review the #61 ?
@JoshMcCullough @fitzyjoe I provided a PR that fixes this and updates the test case. Can I get this reviewed and merged?
Merged PR to fix this. Thanks!
Invalid "Authorization" header may lead to segmentation fault:
How to reproduce:
In your nginx.conf file: change
error_log /var/log/nginx/error.log info
toerror_log /dev/stderr info
(you wont see anything otherwise).Add this test:
Cause:
Line 422:
authorizationHeaderStr.len = authorizationHeader->value.len - (sizeof("Bearer ") - 1);
-> "len" can be negative and it will fail in the ngx_str_t_to_char_ptr function on memory allocation.