9 messages in ru.sysoev.nginxRe: Is nginx vulnerable to the Hash T...| From | Sent On | Attachments |
|---|---|---|
| Justin Hart | Dec 31, 2011 10:37 am | |
| Maxim Dounin | Dec 31, 2011 4:34 pm | |
| agentzh | Dec 31, 2011 9:53 pm | |
| Justin Hart | Dec 31, 2011 9:58 pm | |
| agentzh | Jan 1, 2012 6:20 am | |
| Nginx User | Jan 1, 2012 6:31 am | |
| Sergey A. Osokin | Jan 1, 2012 10:37 am | |
| agentzh | Jan 4, 2012 3:47 am | |
| Nginx User | Jan 4, 2012 12:01 pm |
| Subject: | Re: Is nginx vulnerable to the Hash Table Vulnerability (n.runs AG)? | |
|---|---|---|
| From: | Nginx User (ngi...@nginxuser.net) | |
| Date: | Jan 1, 2012 6:31:10 am | |
| List: | ru.sysoev.nginx | |
On 1 January 2012 17:20, agentzh <agen...@gmail.com> wrote:
On Sun, Jan 1, 2012 at 1:58 PM, Justin Hart <onyx...@gmail.com> wrote:
Thank you for the confirmation - I read through the parts of code in question but wanted to get a second opinion.
How about the lua and/or the perl modules? It looks as if they are using the nginx functions?
The current released versions of ngx_lua does have this vulnerability in its ngx.req.get_uri_args() and ngx.req.get_post_args() functions. I've already worked out a patch for these two functions in ngx_lua's git max-args branch here:
https://github.com/chaoslawful/lua-nginx-module/commit/75876
With this patch, both of these functions will only parse 100 query args at most. And one can specify a custom maximum number of args parsed with an optional function argument (default to 100) and enforcing unlimited parsing by specifying a zero number.
This patch (as well as this branch) will be merged into the master branch in 3 Jan.
It would probably be a good idea at that point, to finally make a release of v0.3.1 of the ngx_lua module as with about 45 "Release Candidates", it must already hold some record :)
_______________________________________________ nginx mailing list ngi...@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx