Opened 12 days ago

Last modified 11 days ago

#2058 new defect

nginx returns code 500 on zero-size request body when filter module returns 40x

Reported by: meelisroos@… Owned by:
Priority: minor Milestone:
Component: nginx-core Version: 1.19.x
Keywords: filter module 500 Cc: meelisroos@…
uname -a: Linux test-nginx 3.10.0-957.10.1.el7.x86_64 #1 SMP Mon Mar 18 15:06:45 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.19.3
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-39) (GCC)
built with OpenSSL 1.0.2k-fips 26 Jan 2017
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/ --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -fPIC' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -pie' --add-module=/home/builder/rpmbuild/BUILD/nginx-1.19.3/ngx_http_catch_body_filter_module


When nginx HTTP filter module processes the request body and filter returns 40x (400 and 403 tested), nginx returns this response code to client if request body has non-zero size and fail with error 500 when request body size is 0 (and the filter module returns answer 40x).

I am debugging my own request body filter module for nginx proxy. I found a problem so I reduced it to minimal reproducer code fragment.

I took as a base and applied byte counter patch to it, to return 40x on zero or 1 byte body size. For 1-byte body, the 40x response is returned to the client, and for 0-byte body, 500 is returned.

Found on nginx 1.18.0 and tested on 1.19.3.

Patch for my reproducer. In configuration, I have the module turned on for /test:

location = /test {

real_ip_header X-Forwarded-For;

# Check content.
catch_body on;
proxy_request_buffering on;

# Proxied server.
proxy_pass http://localhost:808/blobserver;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_redirect off;


The test:
curl -s -S -H 'Content-Type: application/octet-stream' --data-binary http://localhost/test

debug log results in this:
2020/10/08 22:07:49 [debug] 23777#23777: *1 generic phase: 13
2020/10/08 22:07:49 [debug] 23777#23777: *1 http request body content length filter
2020/10/08 22:07:49 [debug] 23777#23777: *1 catch request body filter
2020/10/08 22:07:49 [debug] 23777#23777: *1 catch body: wrong length
2020/10/08 22:07:49 [debug] 23777#23777: *1 http finalize request: 500, "/test?" a:1, c:1
2020/10/08 22:07:49 [debug] 23777#23777: *1 http special response: 500, "/test?"
2020/10/08 22:07:49 [debug] 23777#23777: *1 HTTP/1.1 500 Internal Server Error

Attachments (1)

ngx-catch-body.patch (1008 bytes ) - added by meelisroos@… 12 days ago.
reproducer as patch to ngx_http_catch_body_filter_module

Download all attachments as: .zip

Change History (2)

by meelisroos@…, 12 days ago

Attachment: ngx-catch-body.patch added

reproducer as patch to ngx_http_catch_body_filter_module

comment:1 by Maxim Dounin, 11 days ago

Thanks for reporting this. Looks like a leftover from before request body filters were introduced: previously, the only possible return code on the initial ngx_http_request_body_filter() call without any buffers was 500. Please try the following patch:

# HG changeset patch
# User Maxim Dounin <>
# Date 1602265457 -10800
#      Fri Oct 09 20:44:17 2020 +0300
# Node ID f4f9d2d02b4c840ed0c34628818b444c7b21cd83
# Parent  559d19037984d062781da0419c8b82aa3c1b415d
Request body: removed error assumption (ticket #2058).

Before introduction of request body filter in 42d9beeb22db, the only
possible return code from the ngx_http_request_body_filter() call
without actual buffers was NGX_HTTP_INTERNAL_SERVER_ERROR, and
the code in ngx_http_read_client_request_body() hardcoded the only
possible error to simplify the code of initial call to set rb->buf.

This is non longer true after introduction of request body filters though,
as a request body filter might need to return other errors, such as 403.
Fix is to preserve the error code actually returned by the call
instead of assuming 500.

diff --git a/src/http/ngx_http_request_body.c b/src/http/ngx_http_request_body.c
--- a/src/http/ngx_http_request_body.c
+++ b/src/http/ngx_http_request_body.c
@@ -137,8 +137,9 @@ ngx_http_read_client_request_body(ngx_ht
     } else {
         /* set rb->rest */
-        if (ngx_http_request_body_filter(r, NULL) != NGX_OK) {
+        rc = ngx_http_request_body_filter(r, NULL);
+        if (rc != NGX_OK) {
             goto done;
Note: See TracTickets for help on using tickets.