diff options
author | Alejandro Colomar <alx.manpages@gmail.com> | 2022-06-06 14:18:01 +0200 |
---|---|---|
committer | Alejandro Colomar <alx.manpages@gmail.com> | 2022-06-21 12:47:01 +0200 |
commit | c3e40ae932f0cf9ae33166479049d2d3c9fa1615 (patch) | |
tree | d3fd81d32f648def28d9425d981520e65d189dcc | |
parent | d220eb2996513134d3553dbb4ae6b6bbf4692775 (diff) | |
download | unit-c3e40ae932f0cf9ae33166479049d2d3c9fa1615.tar.gz unit-c3e40ae932f0cf9ae33166479049d2d3c9fa1615.tar.bz2 |
Static: Fixed finding the file extension.
The code for finding the extension made a few assumptions that are
no longer true. It didn't account for pathnames that didn't
contain '/', including the empty string, or the NULL string. That
code was used with "share", which always had a '/', but now it's
also used with "index", which should not have a '/' in it.
This fix works by limiting the search to the beginning of the
string, so that if no '/' is found in it, it doesn't continue
searching before the beginning of the string.
This also happens to work for NULL. It is technically Undefined
Behavior, as we rely on `NULL + 0 == NULL` and `NULL - NULL == 0`.
But that is the only sane behavior for an implementation, and all
existing POSIX implementations will Just Work for this code.
Relying on this UB is useful, because we don't need to add an
explicit check for NULL, and therefore we have faster code.
Although the current code can't have a NULL, I expect that when we
add support for variables in the index, it will be NULL in some
cases.
Link: <https://stackoverflow.com/q/67291052/6872717>
The same code seems to be defined behavior in C++, which normally
will share implementation in the compiler for these cases, and
therefore it is really unlikely to be in trouble.
Link: <https://stackoverflow.com/q/59409034/6872717>
Diffstat (limited to '')
-rw-r--r-- | docs/changes.xml | 7 | ||||
-rw-r--r-- | src/nxt_http_static.c | 13 |
2 files changed, 14 insertions, 6 deletions
diff --git a/docs/changes.xml b/docs/changes.xml index 38909a42..65e9d200 100644 --- a/docs/changes.xml +++ b/docs/changes.xml @@ -37,6 +37,13 @@ forwarded header to replace client address and protocol. </para> </change> +<change type="bugfix"> +<para> +an index file that didn't contain a file extension was incorrectly +handled, and caused a use-after-free bug. +</para> +</change> + </changes> diff --git a/src/nxt_http_static.c b/src/nxt_http_static.c index 61dd0cb3..eef96c16 100644 --- a/src/nxt_http_static.c +++ b/src/nxt_http_static.c @@ -756,9 +756,7 @@ nxt_http_static_extract_extension(nxt_str_t *path, nxt_str_t *exten) end = path->start + path->length; p = end; - for ( ;; ) { - /* There's always '/' in the beginning of the request path. */ - + while (p > path->start) { p--; ch = *p; @@ -767,11 +765,14 @@ nxt_http_static_extract_extension(nxt_str_t *path, nxt_str_t *exten) p++; /* Fall through. */ case '.': - exten->length = end - p; - exten->start = p; - return; + goto extension; } } + +extension: + + exten->length = end - p; + exten->start = p; } |