Opened 11 years ago
Closed 11 years ago
#512 closed defect (duplicate)
Passing invalid headers allow to corrupt/forge messages in error_log
Reported by: | Mike Kazantsev | Owned by: | |
---|---|---|---|
Priority: | minor | Milestone: | |
Component: | nginx-core | Version: | 1.4.x |
Keywords: | Cc: | ||
uname -a: | Linux damnation 3.12.11 #4 SMP Sat Feb 15 23:20:27 YEKT 2014 x86_64 GNU/Linux | ||
nginx -V: |
nginx version: nginx/1.4.4
TLS SNI support enabled configure arguments: --prefix=/srv/www/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error_log --pid-path=/run/nginx.pid --lock-path=/run/lock/nginx.lock --user=nginx --group=nginx --http-log-path=/var/log/nginx/access_log --http-client-body-temp-path=/tmp/nginx/client --http-proxy-temp-path=/tmp/nginx/proxy --http-fastcgi-temp-path=/tmp/nginx/fastcgi --http-scgi-temp-path=/tmp/nginx/scgi --http-uwsgi-temp-path=/tmp/nginx/uwsgi --with-pcre --with-file-aio --with-ipv6 --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_xslt_module --with-http_geoip_module --with-http_dav_module --with-http_flv_module --with-http_gzip_static_module --with-http_secure_link_module --with-http_stub_status_module --with-http_spdy_module --without-http_ssi_module --without-http_referer_module --without-http_browser_module --without-http_upstream_least_conn_module --without-http_upstream_keepalive_module --without-mail_pop3_module --without-mail_imap_module --without-mail_smtp_module |
Description
"Client sent invalid header line" messages in error_log doesn't seem to escape the actual "header line" data, potentially allowing malicious clients to produce messages there that will look exactly like nginx errors, but are constructed entirely by client.
For example, lately I seem to be getting plenty of messages like this (non-ascii escaped):
2014/02/26 02:18:57 [info] 1123#0: *6352 client sent invalid header line: "Host: \x00\x00\x00\x00\r\nUser-Agent: Mozilost\x00 cane\x00\nAccept\x00 */*\x00\n\r\n\nUser-Agent\x00 Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)\x00\n\r\nrs; feed-id=515b78fb4dce574a7d0034d3)\x00\nIf-Modified-Since\x00 Tue, 25 Feb 2014 18:51:34 GMT\x00\n\r\n\x00\x00\x00...
(can be transformed to original binary line with e.g.: python -c print\ \''<above message>'\'
)
As a result, what should be one log entry spans several lines (as logged header itself contains newlines), so roughly guessing the time (from e.g. server http headers) seem to allow injecting seemingly-legit messages that aren't actually nginx errors into that log, also making it a bit more difficult to read (which such binary requests flying around lately).
Maybe escaping such data in some way would be possible?
Or an option to do so, if it might hurt performance too much.
Duplicate of #191.