Opened 7 years ago

Closed 7 years ago

#512 closed defect (duplicate)

Passing invalid headers allow to corrupt/forge messages in error_log

Reported by: Mike Kazantsev Owned by:
Priority: minor Milestone:
Component: nginx-core Version: 1.4.x
Keywords: Cc:
uname -a: Linux damnation 3.12.11 #4 SMP Sat Feb 15 23:20:27 YEKT 2014 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.4.4
TLS SNI support enabled
configure arguments: --prefix=/srv/www/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error_log --pid-path=/run/nginx.pid --lock-path=/run/lock/nginx.lock --user=nginx --group=nginx --http-log-path=/var/log/nginx/access_log --http-client-body-temp-path=/tmp/nginx/client --http-proxy-temp-path=/tmp/nginx/proxy --http-fastcgi-temp-path=/tmp/nginx/fastcgi --http-scgi-temp-path=/tmp/nginx/scgi --http-uwsgi-temp-path=/tmp/nginx/uwsgi --with-pcre --with-file-aio --with-ipv6 --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_xslt_module --with-http_geoip_module --with-http_dav_module --with-http_flv_module --with-http_gzip_static_module --with-http_secure_link_module --with-http_stub_status_module --with-http_spdy_module --without-http_ssi_module --without-http_referer_module --without-http_browser_module --without-http_upstream_least_conn_module --without-http_upstream_keepalive_module --without-mail_pop3_module --without-mail_imap_module --without-mail_smtp_module

Description

"Client sent invalid header line" messages in error_log doesn't seem to escape the actual "header line" data, potentially allowing malicious clients to produce messages there that will look exactly like nginx errors, but are constructed entirely by client.

For example, lately I seem to be getting plenty of messages like this (non-ascii escaped):

2014/02/26 02:18:57 [info] 1123#0: *6352 client sent invalid header line: "Host: \x00\x00\x00\x00\r\nUser-Agent: Mozilost\x00 cane\x00\nAccept\x00 */*\x00\n\r\n\nUser-Agent\x00 Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)\x00\n\r\nrs; feed-id=515b78fb4dce574a7d0034d3)\x00\nIf-Modified-Since\x00 Tue, 25 Feb 2014 18:51:34 GMT\x00\n\r\n\x00\x00\x00...

(can be transformed to original binary line with e.g.: python -c print\ \''<above message>'\')

As a result, what should be one log entry spans several lines (as logged header itself contains newlines), so roughly guessing the time (from e.g. server http headers) seem to allow injecting seemingly-legit messages that aren't actually nginx errors into that log, also making it a bit more difficult to read (which such binary requests flying around lately).

Maybe escaping such data in some way would be possible?
Or an option to do so, if it might hurt performance too much.

Change History (1)

comment:1 by Maxim Dounin, 7 years ago

Resolution: duplicate
Status: newclosed

Duplicate of #191.

Note: See TracTickets for help on using tickets.