id summary reporter owner description type status priority milestone component version resolution keywords cc uname nginx_version 512 Passing invalid headers allow to corrupt/forge messages in error_log Mike Kazantsev """Client sent invalid header line"" messages in error_log doesn't seem to escape the actual ""header line"" data, potentially allowing malicious clients to produce messages there that will look exactly like nginx errors, but are constructed entirely by client. For example, lately I seem to be getting plenty of messages like this (non-ascii escaped): {{{ 2014/02/26 02:18:57 [info] 1123#0: *6352 client sent invalid header line: ""Host: \x00\x00\x00\x00\r\nUser-Agent: Mozilost\x00 cane\x00\nAccept\x00 */*\x00\n\r\n\nUser-Agent\x00 Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)\x00\n\r\nrs; feed-id=515b78fb4dce574a7d0034d3)\x00\nIf-Modified-Since\x00 Tue, 25 Feb 2014 18:51:34 GMT\x00\n\r\n\x00\x00\x00... }}} (can be transformed to original binary line with e.g.: `python -c print\ \'''\'`) As a result, what should be one log entry spans several lines (as logged header itself contains newlines), so roughly guessing the time (from e.g. server http headers) seem to allow injecting seemingly-legit messages that aren't actually nginx errors into that log, also making it a bit more difficult to read (which such binary requests flying around lately). Maybe escaping such data in some way would be possible? Or an option to do so, if it might hurt performance too much. " defect closed minor nginx-core 1.4.x duplicate Linux damnation 3.12.11 #4 SMP Sat Feb 15 23:20:27 YEKT 2014 x86_64 GNU/Linux "nginx version: nginx/1.4.4 TLS SNI support enabled configure arguments: --prefix=/srv/www/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error_log --pid-path=/run/nginx.pid --lock-path=/run/lock/nginx.lock --user=nginx --group=nginx --http-log-path=/var/log/nginx/access_log --http-client-body-temp-path=/tmp/nginx/client --http-proxy-temp-path=/tmp/nginx/proxy --http-fastcgi-temp-path=/tmp/nginx/fastcgi --http-scgi-temp-path=/tmp/nginx/scgi --http-uwsgi-temp-path=/tmp/nginx/uwsgi --with-pcre --with-file-aio --with-ipv6 --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_xslt_module --with-http_geoip_module --with-http_dav_module --with-http_flv_module --with-http_gzip_static_module --with-http_secure_link_module --with-http_stub_status_module --with-http_spdy_module --without-http_ssi_module --without-http_referer_module --without-http_browser_module --without-http_upstream_least_conn_module --without-http_upstream_keepalive_module --without-mail_pop3_module --without-mail_imap_module --without-mail_smtp_module"