blob: 45653e422eaf1e434a05e9960d0f55fa18328af3 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
|
From 6511195c023bf03e0fb19a36f41f42f4edde6e88 Mon Sep 17 00:00:00 2001
From: Ruslan Ermilov <ru@nginx.com>
Date: Mon, 23 Dec 2019 15:45:46 +0300
Subject: [PATCH] Discard request body when redirecting to a URL via
error_page.
Reported by Bert JW Regeer and Francisco Oca Gonzalez.
Upstream-Status: Backport
CVE: CVE-2019-20372
Reference to upstream patch:
https://github.com/nginx/nginx/commit/c1be55f97211d38b69ac0c2027e6812ab8b1b94e
Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org>
---
src/http/ngx_http_special_response.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/src/http/ngx_http_special_response.c b/src/http/ngx_http_special_response.c
index 4ffb2cc8..76e67058 100644
--- a/src/http/ngx_http_special_response.c
+++ b/src/http/ngx_http_special_response.c
@@ -623,6 +623,12 @@ ngx_http_send_error_page(ngx_http_request_t *r, ngx_http_err_page_t *err_page)
return ngx_http_named_location(r, &uri);
}
+ r->expect_tested = 1;
+
+ if (ngx_http_discard_request_body(r) != NGX_OK) {
+ r->keepalive = 0;
+ }
+
location = ngx_list_push(&r->headers_out.headers);
if (location == NULL) {
--
2.17.1
|