#2399 closed defect (invalid)
$request_body incomplete if the request body contains NUL/control characters
| Reported by: | Owned by: | ||
|---|---|---|---|
| Priority: | minor | Milestone: | |
| Component: | nginx-core | Version: | 1.23.x |
| Keywords: | request_body | Cc: | AD7six@… |
| uname -a: | Linux e7fd02de8b5b 5.10.104-linuxkit #1 SMP Thu Mar 17 17:08:06 UTC 2022 x86_64 GNU/Linux | ||
| nginx -V: |
nginx version: nginx/1.23.1
built by gcc 10.2.1 20210110 (Debian 10.2.1-6) built with OpenSSL 1.1.1n 15 Mar 2022 TLS SNI support enabled configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-g -O2 -ffile-prefix-map=/data/builder/debuild/nginx-1.23.1/debian/debuild-base/nginx-1.23.1=. -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie' |
||
Description
If a post body contains \x00 (or maybe other control characters) the variable $request_body is incomplete.
Two examples:
- a post request with the content
BEFORE_NULL\x00AFTER_NULL- the variable$request_bodycontains onlyBEFORE_NULL. - a post request with the content
SOME_PREFIX\x00... some more content \x01 ...MESSAGE CONTINUES HERE- the variable$request_bodycontains onlySOME PREFIX MESSAGE CONTINUES HERE
I'm not sure of the exact mechanics of what's happening here, but I've created a minimal, reproducible example here: https://github.com/AD7six/nginx-partial-request-body-repro based on the current nginx:latest docker image.
Am happy to provide more information if necessary or to chat about this via the community nginx slack https://nginxcommunity.slack.com/archives/C02T18NMZU4/p1665412094085809.
Change History (2)
comment:1 by , 2 years ago
| Resolution: | → invalid |
|---|---|
| Status: | new → closed |
comment:2 by , 2 years ago
Thanks for the input!
Indeed that option does fix the reproduction and probably indicates a misunderstanding about what's actually happening on our production systems (where we are not literally logging the $request_body). I'll investigate further, but after running a suite of curl-based tests feel somewhat confident there's no nginx problem here :).
Try using
curl --data-binaryinstead, it should fix things for you. Note thatcurl --datayou are using in your tests is not intended to be usable with binary data, and expected to corrupt binary data at least at NUL characters (and will also strip carriage returns and newlines, which is explicitly documented behaviour).