From: Dmitry Volyntsev Date: Thu, 11 Jun 2026 23:49:33 +0000 (-0700) Subject: Fetch: fix out-of-bounds read of a short fetch proxy URL X-Git-Tag: 1.0.0~11 X-Git-Url: http://git.kaiwu.me/postgresql/log/contrib/postgres_fdw/postgres_fdw.c?a=commitdiff_plain;h=645655aa21234fdd7dbf8f4c058e78c6680253ee;p=njs.git Fetch: fix out-of-bounds read of a short fetch proxy URL --- diff --git a/nginx/ngx_js.c b/nginx/ngx_js.c index cd44127b..34fc23a4 100644 --- a/nginx/ngx_js.c +++ b/nginx/ngx_js.c @@ -3552,7 +3552,9 @@ ngx_js_parse_proxy_url(ngx_pool_t *pool, ngx_log_t *log, ngx_str_t *url, return NGX_OK; } - if (ngx_strncmp(url->data, "http://", sizeof("http://") - 1) != 0) { + if (url->len < sizeof("http://") - 1 + || ngx_strncmp(url->data, "http://", sizeof("http://") - 1) != 0) + { ngx_log_error(NGX_LOG_ERR, log, 0, "js_fetch_proxy URL must use http:// scheme"); return NGX_ERROR; diff --git a/nginx/t/js_fetch_proxy_variable.t b/nginx/t/js_fetch_proxy_variable.t index b1fcbadd..b8de4e1c 100644 --- a/nginx/t/js_fetch_proxy_variable.t +++ b/nginx/t/js_fetch_proxy_variable.t @@ -60,6 +60,12 @@ http { js_content test.http_fetch; } + location /dynamic_short_proxy { + set $proxy_url "http:/"; + js_fetch_proxy $proxy_url; + js_content test.http_fetch; + } + location /dynamic_user_proxy { set $proxy_url "http://$arg_user:p@127.0.0.1:%%PORT_8081%%"; js_fetch_proxy $proxy_url; @@ -134,7 +140,7 @@ $t->write_file('test.js', <try_run('no js_fetch_proxy')->plan(4); +$t->try_run('no js_fetch_proxy')->plan(5); ############################################################################### @@ -144,6 +150,8 @@ like(http_get('/dynamic_proxy'), qr/PROXY:Basic\s+dGVzdHVzZXI6dGVzdHBhc3M=/, 'dynamic proxy URL with auth'); like(http_get('/dynamic_empty_proxy'), qr/ORIGIN:OK/, 'dynamic empty proxy URL bypasses proxy'); +like(http_get('/dynamic_short_proxy'), qr/failed to evaluate proxy URL/, + 'too short dynamic proxy URL is rejected'); like(http_get('/dynamic_user_proxy?user=' . ('a' x 200)), qr/PROXY:BAD-AUTH/, 'long user in dynamic proxy URL decoded without overflow');