mirror/nginx
1
0
Fork 0
mirror of https://github.com/nginx/nginx.git synced 2025-06-07 17:52:38 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

Cache: check the whole cache key in addition to hashes.

Browse Source 
This prevents a potential attack that discloses cached data if an attacker
will be able to craft a hash collision between some cache key the attacker
is allowed to access and another cache key with protected data.

See http://mailman.nginx.org/pipermail/nginx-devel/2015-September/007288.html.

Thanks to Gena Makhomed and Sergey Brester.
This commit is contained in:
Maxim Dounin 2015-09-11 17:03:56 +03:00
parent 51f714c85d
commit ce05841eef
1 changed files with 19 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
src/http/ngx_http_file_cache.c
View File

@ -521,9 +521,12 @@ wakeup:
static ngx_int_t static ngx_int_t
ngx_http_file_cache_read(ngx_http_request_t *r, ngx_http_cache_t *c) ngx_http_file_cache_read(ngx_http_request_t *r, ngx_http_cache_t *c)
{ {
u_char *p;
time_t now; time_t now;
ssize_t n; ssize_t n;
ngx_str_t *key;
ngx_int_t rc; ngx_int_t rc;
ngx_uint_t i;
ngx_http_file_cache_t *cache; ngx_http_file_cache_t *cache;
ngx_http_file_cache_header_t *h; ngx_http_file_cache_header_t *h;
@ -547,12 +550,27 @@ ngx_http_file_cache_read(ngx_http_request_t *r, ngx_http_cache_t *c)
return NGX_DECLINED; return NGX_DECLINED;
} }
if (h->crc32 != c->crc32) { if (h->crc32 != c->crc32 || h->header_start != c->header_start) {
ngx_log_error(NGX_LOG_CRIT, r->connection->log, 0, ngx_log_error(NGX_LOG_CRIT, r->connection->log, 0,
"cache file \"%s\" has md5 collision", c->file.name.data); "cache file \"%s\" has md5 collision", c->file.name.data);
return NGX_DECLINED; return NGX_DECLINED;
} }
p = c->buf->pos + sizeof(ngx_http_file_cache_header_t)
+ sizeof(ngx_http_file_cache_key);
key = c->keys.elts;
for (i = 0; i < c->keys.nelts; i++) {
if (ngx_memcmp(p, key[i].data, key[i].len) != 0) {
ngx_log_error(NGX_LOG_CRIT, r->connection->log, 0,
"cache file \"%s\" has md5 collision",
c->file.name.data);
return NGX_DECLINED;
}
p += key[i].len;
}
if ((size_t) h->body_start > c->body_start) { if ((size_t) h->body_start > c->body_start) {
ngx_log_error(NGX_LOG_CRIT, r->connection->log, 0, ngx_log_error(NGX_LOG_CRIT, r->connection->log, 0,
"cache file \"%s\" has too long header", "cache file \"%s\" has too long header",
@ -583,7 +601,6 @@ ngx_http_file_cache_read(ngx_http_request_t *r, ngx_http_cache_t *c)
c->last_modified = h->last_modified; c->last_modified = h->last_modified;
c->date = h->date; c->date = h->date;
c->valid_msec = h->valid_msec; c->valid_msec = h->valid_msec;
c->header_start = h->header_start;
c->body_start = h->body_start; c->body_start = h->body_start;
c->etag.len = h->etag_len; c->etag.len = h->etag_len;
c->etag.data = h->etag; c->etag.data = h->etag;