It doesn't and there are a few more for which this doesn't work either, it needs a lot more work and testing. I had a new concept patch but today decided to roll back to 1.1.1d and back port 1.1.1e (de) patches only. Only NGX_ERROR mitigates a truncation attack, not NGX_DONE (which is open for debate).
Posted at Nginx Forum: https://forum.nginx.org/read.php?2,287377,287426#msg-287426 _______________________________________________ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
