From: Roman Arutyunyan Date: Wed, 22 Apr 2026 05:39:31 +0000 (+0400) Subject: Rewrite: fixed escaping and possible buffer overrun X-Git-Tag: release-1.31.0~2 X-Git-Url: http://git.kaiwu.me/postgresql/log/contrib/postgres_fdw/postgres_fdw.c?a=commitdiff_plain;h=2046b45aa0c6;p=nginx.git Rewrite: fixed escaping and possible buffer overrun The following code resulted in incorrect escaping of $1 and possible segfault: location / { rewrite ^(.*) /new?c=1; set $myvar $1; return 200 $myvar; } If there were arguments in a rewrite's replacement string, the is_args flag was set and incorrectly never cleared. This resulted in escaping applied to any captures evaluated afterwards in set or if. Additionally buffer was allocated by ngx_http_script_complex_value_code() without escaping expected, thus this also resulted in buffer overrun and possible segfault. A similar issue was fixed in 74d939974d43. Reported by Leo Lin. --- diff --git a/src/http/ngx_http_script.c b/src/http/ngx_http_script.c index a2b9f1b7b..2ea611373 100644 --- a/src/http/ngx_http_script.c +++ b/src/http/ngx_http_script.c @@ -1202,6 +1202,7 @@ ngx_http_script_regex_end_code(ngx_http_script_engine_t *e) r = e->request; + e->is_args = 0; e->quote = 0; ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,