Opened 8 years ago

Closed 8 years ago

Last modified 8 years ago

#188 closed defect (invalid)

client_body_in_file_only clean remove files before php can read them

Reported by: Krzysztof Warzecha Owned by: somebody
Priority: minor Milestone:
Component: nginx-core Version: 1.2.x
Keywords: Cc: kwarzecha7@…
uname -a: Linux bebzol.com 3.2.13-grsec-xxxx-grs-ipv6-64 #1 SMP Thu Mar 29 09:48:59 UTC 2012 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.2.1
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-log-path=/var/log/nginx/access.log --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --lock-path=/var/lock/nginx.lock --pid-path=/var/run/nginx.pid --with-pcre-jit --with-debug --with-http_addition_module --with-http_dav_module --with-http_geoip_module --with-http_gzip_static_module --with-http_image_filter_module --with-http_realip_module --with-http_stub_status_module --with-http_ssl_module --with-http_sub_module --with-http_xslt_module --with-ipv6 --with-sha1=/usr/include/openssl --with-md5=/usr/include/openssl --with-mail --with-mail_ssl_module --add-module=/tmp/buildd/nginx-1.2.1/debian/modules/nginx-auth-pam --add-module=/tmp/buildd/nginx-1.2.1/debian/modules/nginx-echo --add-module=/tmp/buildd/nginx-1.2.1/debian/modules/nginx-upstream-fair --add-module=/tmp/buildd/nginx-1.2.1/debian/modules/nginx-dav-ext-module

Description

Hello,

If i use "client_body_in_file_only clean;" upload will sometimes fail with message:

[17-Jul-2012 12:08:46 UTC] PHP Warning:  REQUEST_BODY_FILE: open('/dev/shm/client_body_temp/0000109431') failed: No such file or directory (2) in Unknown on line 0

My conf:

location ~ \.php$ {
# wiki.nginx.org/Pitfalls#Passing_Uncontrolled_Requests_to_PHP
    location ~ \..*/.*\.php$ {return 404;}

    fastcgi_pass_request_body off;
    client_body_in_file_only clean;
    fastcgi_param REQUEST_BODY_FILE $request_body_file;
    fastcgi_pass   unix:/var/run/php5-fpm.sock;
    fastcgi_index  index.php;
    fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
    include fastcgi_params;
}

I used strace to see what is going on, results are in attachment. I belive nginx removes file before php can open it, but speaking from experience it may be configuration issue or just php's fault.

Revelant strace fragment:

28200 <... recvfrom resumed> "POST /check.php HTTP/1.1\r\nHost: "..., 1024, 0, NULL, NULL) = 834
28200 open("/dev/shm/client_body_temp/0000109018", O_RDWR|O_CREAT|O_EXCL, 0600 <unfinished ...>
...
28200 connect(20, {sa_family=AF_FILE, path="/var/run/php5-fpm.sock"}, 110 <unfinished ...>
28200 <... connect resumed> )           = 0
22502 <... accept resumed> {sa_family=AF_FILE, NULL}, [2]) = 11
...
28200 writev(20, [{"\1\1\0\1\0\10\0\0\0\1\0\0\0\0\0\0\1\4\0\1\5\232\6\0\21$REQUES"..., 1480}], 1 <unfinished ...>
...
28200 unlink("/dev/shm/client_body_temp/0000109018" <unfinished ...>
...
28200 close(20 <unfinished ...>
...
28200 unlink("/dev/shm/client_body_temp/0000109018" <unfinished ...>
...
22502 <... read resumed> "\21$REQUEST_BODY_FILE/dev/shm/clie"..., 1440) = 1440
...
22502 open("/dev/shm/client_body_temp/0000109018", O_RDONLY <unfinished ...>
22502 <... open resumed> )              = -1 ENOENT (No such file or directory)

I can provide more informations / logs if needed. This is debian wheezy, with stock php-fpm and stock nginx.

Attachments (1)

strace-log-1 (23.7 KB ) - added by Krzysztof Warzecha 8 years ago.

Download all attachments as: .zip

Change History (3)

by Krzysztof Warzecha, 8 years ago

Attachment: strace-log-1 added

comment:1 by Maxim Dounin, 8 years ago

Resolution: invalid
Status: newclosed

According to strace provided unlink() happens after request processing ends due to connection close by a client:

28200 recvfrom(86,  <unfinished ...>
28200 <... recvfrom resumed> "", 1, MSG_PEEK, NULL, NULL) = 0
28200 close(20 <unfinished ...>
28200 <... close resumed> )             = 0
28200 write(5, "87.205.155.163 - - [17/Jul/2012:"..., 202 <unfinished ...>
28200 <... write resumed> )             = 202
28200 unlink("/dev/shm/client_body_temp/0000109018" <unfinished ...>

That is, this is expected behaviour. You may either handle this in you code, or configure nginx to ignore connection aborts with fastcgi_ignore_client_abort.

comment:2 by Krzysztof Warzecha, 8 years ago

This was indeed configuration issue, fastcgi_ignore_client_abort fixed it. Thank you very much!

Note: See TracTickets for help on using tickets.