]> git.kaiwu.me - njs.git/commit
Fetch: fixed heap buffer overflow in proxy URL credentials.
authorDmitry Volyntsev <xeioex@nginx.com>
Tue, 12 May 2026 23:52:56 +0000 (16:52 -0700)
committerDmitry Volyntsev <xeioexception@gmail.com>
Wed, 13 May 2026 01:22:56 +0000 (18:22 -0700)
commit2bf4601a94c2a22b715d74e6d92dedb1850d56d3
treed56b2a41b7a25f2e4012d93358cd2cc6b6400bdb
parent0ffc96df7f341f6c5f6f70cb6207030b6afe0de3
Fetch: fixed heap buffer overflow in proxy URL credentials.

The destination buffers for the decoded user and password in
ngx_js_parse_proxy_url() were a fixed 128 bytes, while the encoded
input length was bounded only by the URL length.  Since
ngx_unescape_uri() writes at most one byte per input byte, raw
credentials longer than 128 bytes overflowed the buffer; the
length check ran only after the decode.

The fix is to size the destination buffer based on the encoded
input length.

The bug appeared in dea8318 (0.9.4).
nginx/ngx_js.c
nginx/t/js_fetch_proxy_variable.t