Opened 4 years ago

Closed 3 years ago

#1144 closed defect (wontfix)

BUG - cannot include files with * mask on windows server 2012r2

Reported by: axos88@… Owned by:
Priority: minor Milestone:
Component: nginx-core Version: 1.11.x
Keywords: win32 Cc:
uname -a: n/a
nginx -V: $ ../../nginx.exe -V
nginx version: nginx/1.11.6
built by cl 16.00.30319.01 for 80x86
built with OpenSSL 1.0.2j 26 Sep 2016
TLS SNI support enabled
configure arguments: --with-cc=cl --builddir=objs.msvc8 --with-debug --prefix= --conf-path=conf/nginx.conf --pid-path=logs/nginx.pid --http-log-path=logs/access.log --error-log-path=logs/error.log --sbin-path=nginx.exe --http-client-body-temp-path=temp/client_body_temp --http-proxy-temp-path=temp/proxy_temp --http-fastcgi-temp-path=temp/fastcgi_temp --http-scgi-temp-path=temp/scgi_temp --http-uwsgi-temp-path=temp/uwsgi_temp --with-cc-opt=-DFD_SETSIZE=1024 --with-pcre=objs.msvc8/lib/pcre-8.39 --with-zlib=objs.msvc8/lib/zlib-1.2.8 --with-select_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_stub_status_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_auth_request_module --with-http_random_index_module --with-http_secure_link_module --with-http_slice_module --with-mail --with-stream --with-openssl=objs.msvc8/lib/openssl-1.0.2j --with-openssl-opt=no-asm --with-http_ssl_module --with-mail_ssl_module --with-stream_ssl_module

Description

Adding include C:/nginx/nginx-1.10.1/conf/sites-enabled/*; to the nginx conf results in the following error (maybe when enumerating the contents of the directory, it tries to read . and .. as well?):

==> error.log <==
2016/11/24 13:35:54 [error] 6168#18144: ReadFile() "C:/nginx/nginx-1.10.1/conf/sites-enabled/.." failed (1: Incorrect function)

==> nginx.log <==
nginx: [error] ReadFile() "C:/nginx/nginx-1.10.1/conf/sites-enabled/.." failed (1: Incorrect function)

nginx -V:

nginx version: nginx/1.10.1
built by cl 16.00.30319.01 for 80x86
built with OpenSSL 1.0.2h 3 May 2016
TLS SNI support enabled
configure arguments: --with-cc=cl --builddir=objs.msvc8 --with-debug --prefix= --conf-path=conf/nginx.conf --pid-path=logs/nginx.pid --http-log-path=logs/access.log --error-log-path=logs/error.log --sbin-path=nginx.exe --http-client-body-temp-path=temp/client_body_temp --http-proxy-temp-path=temp/proxy_temp --http-fastcgi-temp-path=temp/fastcgi_temp --http-scgi-temp-path=temp/scgi_temp --http-uwsgi-temp-path=temp/uwsgi_temp --with-cc-opt=-DFD_SETSIZE=1024 --with-pcre=objs.msvc8/lib/pcre-8.38 --with-zlib=objs.msvc8/lib/zlib-1.2.8 --with-select_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_stub_status_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_auth_request_module --with-http_random_index_module --with-http_secure_link_module --with-http_slice_module --with-mail --with-stream --with-openssl=objs.msvc8/lib/openssl-1.0.2h --with-openssl-opt=no-asm --with-http_ssl_module --with-mail_ssl_module --with-stream_ssl_module --with-ipv6

Also happens with 1.11.6:

$ ../../nginx.exe -V
nginx version: nginx/1.11.6
built by cl 16.00.30319.01 for 80x86
built with OpenSSL 1.0.2j 26 Sep 2016
TLS SNI support enabled
configure arguments: --with-cc=cl --builddir=objs.msvc8 --with-debug --prefix= --conf-path=conf/nginx.conf --pid-path=logs/nginx.pid --http-log-path=logs/access.log --error-log-path=logs/error.log --sbin-path=nginx.exe --http-client-body-temp-path=temp/client_body_temp --http-proxy-temp-path=temp/proxy_temp --http-fastcgi-temp-path=temp/fastcgi_temp --http-scgi-temp-path=temp/scgi_temp --http-uwsgi-temp-path=temp/uwsgi_temp --with-cc-opt=-DFD_SETSIZE=1024 --with-pcre=objs.msvc8/lib/pcre-8.39 --with-zlib=objs.msvc8/lib/zlib-1.2.8 --with-select_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_stub_status_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_auth_request_module --with-http_random_index_module --with-http_secure_link_module --with-http_slice_module --with-mail --with-stream --with-openssl=objs.msvc8/lib/openssl-1.0.2j --with-openssl-opt=no-asm --with-http_ssl_module --with-mail_ssl_module --with-stream_ssl_module

Change History (7)

comment:1 by Maxim Dounin, 4 years ago

Keywords: win32 added; bug config include start-up incorrect function removed
Priority: majorminor

On Windows, nginx uses FindFirstFile() / FindNextFile() functions to resolve masks given in include directives. No additional filtering is done after it. It happens to behave slightly differently than glob() used on Unix, in particular, bare * doesn't match dot-files (to match them, one should explicitly write dot in a pattern, like .*, see here).

As a result, a pattern you've wrote matches . and .. directory entries on Windows, leading to errors. Not sure if we want to do anything with this, probably no.

An obvious solution is to use a more restrictive pattern instead, for example:

include .../*.conf;

Note well that using bare * is an unsafe practice and not recommended even on Unix.

comment:2 by axos88@…, 4 years ago

Hmm, interersting, that's how nginx cookbook generates its configuration by default. Includes everything under sites-enabled

comment:3 by axos88@…, 4 years ago

Can't we just skip anything that is not a file? Would probably bork if there are matched subdirectories as well?

comment:4 by axos88@…, 4 years ago

Even if we don't modify it, it would be nice to add a note in the docs about this caveat / limitation. Btw, why is the * unsafe?

in reply to:  2 comment:5 by Maxim Dounin, 4 years ago

Hmm, interersting, that's how nginx cookbook generates its configuration by default.

Well, someone is always wrong on the Internet.

Can't we just skip anything that is not a file?

We can, but this implies additional code to check the files. Also, this can cause various other unexpected effects, e.g., such an approach can breaks symlinks, or, e.g., pipes. Using proper mask is much easier and implies no unrelated breakage.

Btw, why is the * unsafe?

Because in practice there are lots of situations when bare * matches unintended things, and we constantly see users being bitten by this. For example, there are editors which store temporary files with suffix ~.

comment:6 by axos88@…, 4 years ago

Gotcha. So it's not unsafe as in security, but unsafe as in it's going to cause you pain and suffering.

Already opened an issue with the cookbook.

comment:7 by Maxim Dounin, 3 years ago

Resolution: wontfix
Status: newclosed

Closing this, using proper configuration is believed to be good enough solution.

Note: See TracTickets for help on using tickets.