Opened 8 years ago
Closed 8 years ago
#1144 closed defect (wontfix)
BUG - cannot include files with * mask on windows server 2012r2
Reported by: | Owned by: | ||
---|---|---|---|
Priority: | minor | Milestone: | |
Component: | nginx-core | Version: | 1.11.x |
Keywords: | win32 | Cc: | |
uname -a: | n/a | ||
nginx -V: |
$ ../../nginx.exe -V
nginx version: nginx/1.11.6 built by cl 16.00.30319.01 for 80x86 built with OpenSSL 1.0.2j 26 Sep 2016 TLS SNI support enabled configure arguments: --with-cc=cl --builddir=objs.msvc8 --with-debug --prefix= --conf-path=conf/nginx.conf --pid-path=logs/nginx.pid --http-log-path=logs/access.log --error-log-path=logs/error.log --sbin-path=nginx.exe --http-client-body-temp-path=temp/client_body_temp --http-proxy-temp-path=temp/proxy_temp --http-fastcgi-temp-path=temp/fastcgi_temp --http-scgi-temp-path=temp/scgi_temp --http-uwsgi-temp-path=temp/uwsgi_temp --with-cc-opt=-DFD_SETSIZE=1024 --with-pcre=objs.msvc8/lib/pcre-8.39 --with-zlib=objs.msvc8/lib/zlib-1.2.8 --with-select_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_stub_status_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_auth_request_module --with-http_random_index_module --with-http_secure_link_module --with-http_slice_module --with-mail --with-stream --with-openssl=objs.msvc8/lib/openssl-1.0.2j --with-openssl-opt=no-asm --with-http_ssl_module --with-mail_ssl_module --with-stream_ssl_module |
Description
Adding include C:/nginx/nginx-1.10.1/conf/sites-enabled/*; to the nginx conf results in the following error (maybe when enumerating the contents of the directory, it tries to read . and .. as well?):
==> error.log <==
2016/11/24 13:35:54 [error] 6168#18144: ReadFile() "C:/nginx/nginx-1.10.1/conf/sites-enabled/.." failed (1: Incorrect function)
==> nginx.log <==
nginx: [error] ReadFile() "C:/nginx/nginx-1.10.1/conf/sites-enabled/.." failed (1: Incorrect function)
nginx -V:
nginx version: nginx/1.10.1
built by cl 16.00.30319.01 for 80x86
built with OpenSSL 1.0.2h 3 May 2016
TLS SNI support enabled
configure arguments: --with-cc=cl --builddir=objs.msvc8 --with-debug --prefix= --conf-path=conf/nginx.conf --pid-path=logs/nginx.pid --http-log-path=logs/access.log --error-log-path=logs/error.log --sbin-path=nginx.exe --http-client-body-temp-path=temp/client_body_temp --http-proxy-temp-path=temp/proxy_temp --http-fastcgi-temp-path=temp/fastcgi_temp --http-scgi-temp-path=temp/scgi_temp --http-uwsgi-temp-path=temp/uwsgi_temp --with-cc-opt=-DFD_SETSIZE=1024 --with-pcre=objs.msvc8/lib/pcre-8.38 --with-zlib=objs.msvc8/lib/zlib-1.2.8 --with-select_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_stub_status_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_auth_request_module --with-http_random_index_module --with-http_secure_link_module --with-http_slice_module --with-mail --with-stream --with-openssl=objs.msvc8/lib/openssl-1.0.2h --with-openssl-opt=no-asm --with-http_ssl_module --with-mail_ssl_module --with-stream_ssl_module --with-ipv6
Also happens with 1.11.6:
$ ../../nginx.exe -V
nginx version: nginx/1.11.6
built by cl 16.00.30319.01 for 80x86
built with OpenSSL 1.0.2j 26 Sep 2016
TLS SNI support enabled
configure arguments: --with-cc=cl --builddir=objs.msvc8 --with-debug --prefix= --conf-path=conf/nginx.conf --pid-path=logs/nginx.pid --http-log-path=logs/access.log --error-log-path=logs/error.log --sbin-path=nginx.exe --http-client-body-temp-path=temp/client_body_temp --http-proxy-temp-path=temp/proxy_temp --http-fastcgi-temp-path=temp/fastcgi_temp --http-scgi-temp-path=temp/scgi_temp --http-uwsgi-temp-path=temp/uwsgi_temp --with-cc-opt=-DFD_SETSIZE=1024 --with-pcre=objs.msvc8/lib/pcre-8.39 --with-zlib=objs.msvc8/lib/zlib-1.2.8 --with-select_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_stub_status_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_auth_request_module --with-http_random_index_module --with-http_secure_link_module --with-http_slice_module --with-mail --with-stream --with-openssl=objs.msvc8/lib/openssl-1.0.2j --with-openssl-opt=no-asm --with-http_ssl_module --with-mail_ssl_module --with-stream_ssl_module
Change History (7)
comment:1 by , 8 years ago
Keywords: | win32 added; bug config include start-up incorrect function removed |
---|---|
Priority: | major → minor |
follow-up: 5 comment:2 by , 8 years ago
Hmm, interersting, that's how nginx cookbook generates its configuration by default. Includes everything under sites-enabled
comment:3 by , 8 years ago
Can't we just skip anything that is not a file? Would probably bork if there are matched subdirectories as well?
comment:4 by , 8 years ago
Even if we don't modify it, it would be nice to add a note in the docs about this caveat / limitation. Btw, why is the * unsafe?
comment:5 by , 8 years ago
Hmm, interersting, that's how nginx cookbook generates its configuration by default.
Well, someone is always wrong on the Internet.
Can't we just skip anything that is not a file?
We can, but this implies additional code to check the files. Also, this can cause various other unexpected effects, e.g., such an approach can breaks symlinks, or, e.g., pipes. Using proper mask is much easier and implies no unrelated breakage.
Btw, why is the * unsafe?
Because in practice there are lots of situations when bare *
matches unintended things, and we constantly see users being bitten by this. For example, there are editors which store temporary files with suffix ~
.
comment:6 by , 8 years ago
Gotcha. So it's not unsafe as in security, but unsafe as in it's going to cause you pain and suffering.
Already opened an issue with the cookbook.
comment:7 by , 8 years ago
Resolution: | → wontfix |
---|---|
Status: | new → closed |
Closing this, using proper configuration is believed to be good enough solution.
On Windows, nginx uses
FindFirstFile()
/FindNextFile()
functions to resolve masks given ininclude
directives. No additional filtering is done after it. It happens to behave slightly differently thanglob()
used on Unix, in particular, bare*
doesn't match dot-files (to match them, one should explicitly write dot in a pattern, like.*
, see here).As a result, a pattern you've wrote matches
.
and..
directory entries on Windows, leading to errors. Not sure if we want to do anything with this, probably no.An obvious solution is to use a more restrictive pattern instead, for example:
Note well that using bare
*
is an unsafe practice and not recommended even on Unix.