diff options
| author | CoprDistGit <infra@openeuler.org> | 2026-05-19 07:31:02 +0000 |
|---|---|---|
| committer | CoprDistGit <infra@openeuler.org> | 2026-05-19 07:31:02 +0000 |
| commit | 9a57a5bc9947dd73cbe060a0584599f694ef9c4d (patch) | |
| tree | ca517e733b8893655752783e36bd05e7b9dafcaa /backport-CVE-2026-28753.patch | |
| parent | 84c38e44b89abd508b2c386dc7e6c13f30ec8cc8 (diff) | |
automatic import of nginxopeneuler24.03_LTS_SP2openeuler22.03_LTS_SP2
Diffstat (limited to 'backport-CVE-2026-28753.patch')
| -rw-r--r-- | backport-CVE-2026-28753.patch | 87 |
1 files changed, 87 insertions, 0 deletions
diff --git a/backport-CVE-2026-28753.patch b/backport-CVE-2026-28753.patch new file mode 100644 index 0000000..0ba89c6 --- /dev/null +++ b/backport-CVE-2026-28753.patch @@ -0,0 +1,87 @@ +From 6f3145006b41a4ec464eed4093553a335d35e8ac Mon Sep 17 00:00:00 2001 +From: Roman Arutyunyan <arut@nginx.com> +Date: Thu, 26 Feb 2026 11:52:53 +0400 +Subject: [PATCH] Mail: host validation. + +Now host name resolved from client address is validated to only contain +the characters specified in RFC 1034, Section 3.5. The validation allows +to avoid injections when using the resolved host name in auth_http and +smtp proxy. + +Reported by Asim Viladi Oglu Manizada, Colin Warren, +Xiao Liu (Yunnan University), Yuan Tan (UC Riverside), and +Bird Liu (Lanzhou University). +--- + src/mail/ngx_mail_smtp_handler.c | 45 ++++++++++++++++++++++++++++++++ + 1 file changed, 45 insertions(+) + +diff --git a/src/mail/ngx_mail_smtp_handler.c b/src/mail/ngx_mail_smtp_handler.c +index 1e26c2c8d7..97bbd70631 100644 +--- a/src/mail/ngx_mail_smtp_handler.c ++++ b/src/mail/ngx_mail_smtp_handler.c +@@ -13,6 +13,7 @@ + + + static void ngx_mail_smtp_resolve_addr_handler(ngx_resolver_ctx_t *ctx); ++static ngx_int_t ngx_mail_smtp_validate_host(ngx_str_t *name); + static void ngx_mail_smtp_resolve_name(ngx_event_t *rev); + static void ngx_mail_smtp_resolve_name_handler(ngx_resolver_ctx_t *ctx); + static void ngx_mail_smtp_block_reading(ngx_event_t *rev); +@@ -127,6 +128,20 @@ ngx_mail_smtp_resolve_addr_handler(ngx_resolver_ctx_t *ctx) + return; + } + ++ if (ngx_mail_smtp_validate_host(&ctx->name) != NGX_OK) { ++ ngx_log_error(NGX_LOG_ERR, c->log, 0, ++ "%V resolved to invalid host name \"%V\"", ++ &c->addr_text, &ctx->name); ++ ++ s->host = smtp_tempunavail; ++ ++ ngx_resolve_addr_done(ctx); ++ ++ ngx_mail_smtp_greeting(s, s->connection); ++ ++ return; ++ } ++ + c->log->action = "in resolving client hostname"; + + s->host.data = ngx_pstrdup(c->pool, &ctx->name); +@@ -149,6 +164,36 @@ ngx_mail_smtp_resolve_addr_handler(ngx_resolver_ctx_t *ctx) + } + + ++static ngx_int_t ++ngx_mail_smtp_validate_host(ngx_str_t *name) ++{ ++ u_char ch; ++ ngx_uint_t i; ++ ++ if (name->len == 0) { ++ return NGX_DECLINED; ++ } ++ ++ for (i = 0; i < name->len; i++) { ++ ch = name->data[i]; ++ ++ /* allow only characters from RFC 1034, Section 3.5 */ ++ ++ if ((ch >= 'a' && ch <= 'z') ++ || (ch >= 'A' && ch <= 'Z') ++ || (ch >= '0' && ch <= '9') ++ || ch == '-' || ch == '.') ++ { ++ continue; ++ } ++ ++ return NGX_DECLINED; ++ } ++ ++ return NGX_OK; ++} ++ ++ + static void + ngx_mail_smtp_resolve_name(ngx_event_t *rev) + { |