summaryrefslogtreecommitdiffhomepage
diff options
context:
space:
mode:
authorAlejandro Colomar <alx.manpages@gmail.com>2022-06-06 14:18:01 +0200
committerAlejandro Colomar <alx.manpages@gmail.com>2022-06-21 12:47:01 +0200
commitc3e40ae932f0cf9ae33166479049d2d3c9fa1615 (patch)
treed3fd81d32f648def28d9425d981520e65d189dcc
parentd220eb2996513134d3553dbb4ae6b6bbf4692775 (diff)
downloadunit-c3e40ae932f0cf9ae33166479049d2d3c9fa1615.tar.gz
unit-c3e40ae932f0cf9ae33166479049d2d3c9fa1615.tar.bz2
Static: Fixed finding the file extension.
The code for finding the extension made a few assumptions that are no longer true. It didn't account for pathnames that didn't contain '/', including the empty string, or the NULL string. That code was used with "share", which always had a '/', but now it's also used with "index", which should not have a '/' in it. This fix works by limiting the search to the beginning of the string, so that if no '/' is found in it, it doesn't continue searching before the beginning of the string. This also happens to work for NULL. It is technically Undefined Behavior, as we rely on `NULL + 0 == NULL` and `NULL - NULL == 0`. But that is the only sane behavior for an implementation, and all existing POSIX implementations will Just Work for this code. Relying on this UB is useful, because we don't need to add an explicit check for NULL, and therefore we have faster code. Although the current code can't have a NULL, I expect that when we add support for variables in the index, it will be NULL in some cases. Link: <https://stackoverflow.com/q/67291052/6872717> The same code seems to be defined behavior in C++, which normally will share implementation in the compiler for these cases, and therefore it is really unlikely to be in trouble. Link: <https://stackoverflow.com/q/59409034/6872717>
Diffstat (limited to '')
-rw-r--r--docs/changes.xml7
-rw-r--r--src/nxt_http_static.c13
2 files changed, 14 insertions, 6 deletions
diff --git a/docs/changes.xml b/docs/changes.xml
index 38909a42..65e9d200 100644
--- a/docs/changes.xml
+++ b/docs/changes.xml
@@ -37,6 +37,13 @@ forwarded header to replace client address and protocol.
</para>
</change>
+<change type="bugfix">
+<para>
+an index file that didn't contain a file extension was incorrectly
+handled, and caused a use-after-free bug.
+</para>
+</change>
+
</changes>
diff --git a/src/nxt_http_static.c b/src/nxt_http_static.c
index 61dd0cb3..eef96c16 100644
--- a/src/nxt_http_static.c
+++ b/src/nxt_http_static.c
@@ -756,9 +756,7 @@ nxt_http_static_extract_extension(nxt_str_t *path, nxt_str_t *exten)
end = path->start + path->length;
p = end;
- for ( ;; ) {
- /* There's always '/' in the beginning of the request path. */
-
+ while (p > path->start) {
p--;
ch = *p;
@@ -767,11 +765,14 @@ nxt_http_static_extract_extension(nxt_str_t *path, nxt_str_t *exten)
p++;
/* Fall through. */
case '.':
- exten->length = end - p;
- exten->start = p;
- return;
+ goto extension;
}
}
+
+extension:
+
+ exten->length = end - p;
+ exten->start = p;
}