Opened 17 months ago

Closed 17 months ago

Last modified 17 months ago

#2399 closed defect (invalid)

$request_body incomplete if the request body contains NUL/control characters

Reported by: AD7six@… Owned by:
Priority: minor Milestone:
Component: nginx-core Version: 1.23.x
Keywords: request_body Cc: AD7six@…
uname -a: Linux e7fd02de8b5b 5.10.104-linuxkit #1 SMP Thu Mar 17 17:08:06 UTC 2022 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.23.1
built by gcc 10.2.1 20210110 (Debian 10.2.1-6)
built with OpenSSL 1.1.1n 15 Mar 2022
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-g -O2 -ffile-prefix-map=/data/builder/debuild/nginx-1.23.1/debian/debuild-base/nginx-1.23.1=. -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie'

Description

If a post body contains \x00 (or maybe other control characters) the variable $request_body is incomplete.

Two examples:

  • a post request with the content BEFORE_NULL\x00AFTER_NULL - the variable $request_body contains only BEFORE_NULL.
  • a post request with the content SOME_PREFIX\x00... some more content \x01 ...MESSAGE CONTINUES HERE - the variable $request_body contains only SOME PREFIX MESSAGE CONTINUES HERE

I'm not sure of the exact mechanics of what's happening here, but I've created a minimal, reproducible example here: https://github.com/AD7six/nginx-partial-request-body-repro based on the current nginx:latest docker image.

Am happy to provide more information if necessary or to chat about this via the community nginx slack https://nginxcommunity.slack.com/archives/C02T18NMZU4/p1665412094085809.

Change History (2)

comment:1 by Maxim Dounin, 17 months ago

Resolution: invalid
Status: newclosed

Try using curl --data-binary instead, it should fix things for you. Note that curl --data you are using in your tests is not intended to be usable with binary data, and expected to corrupt binary data at least at NUL characters (and will also strip carriage returns and newlines, which is explicitly documented behaviour).

comment:2 by AD7six@…, 17 months ago

Thanks for the input!

Indeed that option does fix the reproduction and probably indicates a misunderstanding about what's actually happening on our production systems (where we are not literally logging the $request_body). I'll investigate further, but after running a suite of curl-based tests feel somewhat confident there's no nginx problem here :).

Note: See TracTickets for help on using tickets.