Opened 3 months ago

Closed 3 months ago

#2342 closed defect (invalid)

Setting a very high max-age value for Cache-Control causes int overflow

Reported by: hyphenized@… Owned by:
Priority: minor Milestone:
Component: nginx-core Version: 1.19.x
Keywords: Cc:
uname -a: Tested on Windows
nginx -V: nginx version: nginx/1.20.2


When proxying to a ruby on rails application, it is possible to receive 100 years (in seconds) as the max age value for the purpose of caching the response forever. In such cases, when nginx parses the value, it ends up being negative thus marking all cache responses as EXPIRED.

According to the spec

   the cache must consider the
   value to be either 2147483648 (2^31) or the greatest positive integer
   it can conveniently represent

I think the issue might be somewhere near .

Change History (2)

comment:1 by hyphenized@…, 3 months ago

My bad, this is the result for nginx -V

nginx version: nginx/1.20.2
built by cl 16.00.40219.01 for 80x86
built with OpenSSL 1.1.1l  24 Aug 2021
TLS SNI support enabled
configure arguments: --with-cc=cl --builddir=objs.msvc8 --with-debug --prefix= --conf-path=conf/nginx.conf --pid-path=logs/ --http-log-path=logs/access.log --error-log-path=logs/error.log --sbin-path=nginx.exe --http-client-body-temp-path=temp/client_body_temp --http-proxy-temp-path=temp/proxy_temp --http-fastcgi-temp-path=temp/fastcgi_temp --http-scgi-temp-path=temp/scgi_temp --http-uwsgi-temp-path=temp/uwsgi_temp --with-cc-opt=-DFD_SETSIZE=1024 --with-pcre=objs.msvc8/lib/pcre-8.44 --with-zlib=objs.msvc8/lib/zlib-1.2.11 --with-http_v2_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_stub_status_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_auth_request_module --with-http_random_index_module --with-http_secure_link_module --with-http_slice_module --with-mail --with-stream --with-openssl=objs.msvc8/lib/openssl-1.1.1l --with-openssl-opt='no-asm no-tests -D_WIN32_WINNT=0x0501' --with-http_ssl_module --with-mail_ssl_module --with-stream_ssl_module

comment:2 by Maxim Dounin, 3 months ago

Resolution: invalid
Status: newclosed

The maximum supported expiration time is limited by the size of time_t, and on most 32-bit platforms, including Windows, this means that only dates up to 2038 are supported. If you have to use higher expiration times for some reason, you have to switch to a 64-bit platform.

Note that standard Windows binaries as shipped on are currently 32-bit, see #1391. If you need a 64-bit Windows binary, see here for instructions on how to build it yourself.

Note: See TracTickets for help on using tickets.