Is nginx vulnerable to the Hash Table Vulnerability (n.runs AG)?
Justin Hart
Maxim Dounin
It's not vulnerable even if $arg_* is used.
Maxim Dounin
_______________________________________________
nginx mailing list
ng...@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
agentzh
Well, the $arg_PARAMETER variable is not implemented with hash tables
at all ;) It scans the URI query string at every invocation :)
Regards,
-agentzh
Justin Hart
question but wanted to get a second opinion.
How about the lua and/or the perl modules? It looks as if they are
using the nginx functions?
Sent from my iPhone
agentzh
> Thank you for the confirmation - I read through the parts of code in
> question but wanted to get a second opinion.
>
> How about the lua and/or the perl modules? It looks as if they are
> using the nginx functions?
>
The current released versions of ngx_lua does have this vulnerability
in its ngx.req.get_uri_args() and ngx.req.get_post_args() functions.
I've already worked out a patch for these two functions in ngx_lua's
git max-args branch here:
https://github.com/chaoslawful/lua-nginx-module/commit/75876
With this patch, both of these functions will only parse 100 query
args at most. And one can specify a custom maximum number of args
parsed with an optional function argument (default to 100) and
enforcing unlimited parsing by specifying a zero number.
This patch (as well as this branch) will be merged into the master
branch in 3 Jan.
Best,
Nginx User
> On Sun, Jan 1, 2012 at 1:58 PM, Justin Hart <onyx...@gmail.com> wrote:
>> Thank you for the confirmation - I read through the parts of code in
>> question but wanted to get a second opinion.
>>
>> How about the lua and/or the perl modules? It looks as if they are
>> using the nginx functions?
>>
>
> The current released versions of ngx_lua does have this vulnerability
> in its ngx.req.get_uri_args() and ngx.req.get_post_args() functions.
> I've already worked out a patch for these two functions in ngx_lua's
> git max-args branch here:
>
> https://github.com/chaoslawful/lua-nginx-module/commit/75876
>
> With this patch, both of these functions will only parse 100 query
> args at most. And one can specify a custom maximum number of args
> parsed with an optional function argument (default to 100) and
> enforcing unlimited parsing by specifying a zero number.
>
> This patch (as well as this branch) will be merged into the master
> branch in 3 Jan.
It would probably be a good idea at that point, to finally make a
release of v0.3.1 of the ngx_lua module as with about 45 "Release
Candidates", it must already hold some record :)
Sergey A. Osokin
agentzh
> The current released versions of ngx_lua does have this vulnerability
> in its ngx.req.get_uri_args() and ngx.req.get_post_args() functions.
> I've already worked out a patch for these two functions in ngx_lua's
> git max-args branch here:
>
> https://github.com/chaoslawful/lua-nginx-module/commit/75876
>
> With this patch, both of these functions will only parse 100 query
> args at most. And one can specify a custom maximum number of args
> parsed with an optional function argument (default to 100) and
> enforcing unlimited parsing by specifying a zero number.
>
> This patch (as well as this branch) will be merged into the master
> branch in 3 Jan.
>
I've also added similar protections to ngx.req.get_headers():
http://wiki.nginx.org/HttpLuaModule#ngx.req.get_headers
All of these changes have been released as ngx_lua 0.3.1rc45:
https://github.com/chaoslawful/lua-nginx-module/tags
and also included in the ngx_openresty bundle's devel version 1.0.10.39:
http://openresty.org/#Download
Feedback welcome!
Nginx User
> I've also added similar protections to ngx.req.get_headers():
>
> http://wiki.nginx.org/HttpLuaModule#ngx.req.get_headers
>
> All of these changes have been released as ngx_lua 0.3.1rc45:
Thanks.