Origin: https://github.com/nginx/nginx/commit/524977e7c534e87e5b55739fa74601c9f1102686
From 524977e7c534e87e5b55739fa74601c9f1102686 Mon Sep 17 00:00:00 2001
From: Roman Arutyunyan <arut@nginx.com>
Date: Wed, 22 Apr 2026 09:39:31 +0400
Subject: [PATCH] Rewrite: fixed escaping and possible buffer overrun

The following code resulted in incorrect escaping of $1 and possible
segfault:

    location / {
        rewrite ^(.*) /new?c=1;
        set $myvar $1;
        return 200 $myvar;
    }

If there were arguments in a rewrite's replacement string, the is_args flag
was set and incorrectly never cleared.  This resulted in escaping applied
to any captures evaluated afterwards in set or if.  Additionally buffer was
allocated by ngx_http_script_complex_value_code() without escaping expected,
thus this also resulted in buffer overrun and possible segfault.

A similar issue was fixed in 74d939974d43.

Reported by Leo Lin.
---
 src/http/ngx_http_script.c | 1 +
 1 file changed, 1 insertion(+)

Index: nginx/src/http/ngx_http_script.c
===================================================================
--- nginx.orig/src/http/ngx_http_script.c
+++ nginx/src/http/ngx_http_script.c
@@ -1202,6 +1202,7 @@ ngx_http_script_regex_end_code(ngx_http_
 
     r = e->request;
 
+    e->is_args = 0;
     e->quote = 0;
 
     ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,