Opened 10 years ago
Closed 10 years ago
#588 closed defect (invalid)
POST Request with response 302 and content-length 0 crashes nginx
Reported by: | Søren Christian Aarup | Owned by: | |
---|---|---|---|
Priority: | critical | Milestone: | |
Component: | nginx-core | Version: | 1.6.x |
Keywords: | Cc: | ||
uname -a: | Linux d2-waf01.architrade.com 2.6.32-431.20.3.el6.x86_64 #1 SMP Fri Jun 6 18:30:54 EDT 2014 x86_64 x86_64 x86_64 GNU/Linux | ||
nginx -V: |
nginx version: nginx/1.6.0
built by gcc 4.4.7 20120313 (Red Hat 4.4.7-4) (GCC) TLS SNI support enabled configure arguments: --add-module=../modsecurity-2.8.0/nginx/modsecurity --with-openssl=/usr/local/src/openssl-1.0.1h/ --with-http_ssl_module --with-debug |
Description
In the process of setting up Nginx as reverse proxy in front of my apaches I have come across a bug which crashes nginx.
When the client sends the following:
POST /netbank/invoice_ok HTTP/1.1
Host: 172.26.11.11
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:30.0) Gecko/20100101 Firefox/30.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: Chunked
DNT: 1
Cookie: PMLCID=XXXXXXXXXXXXXXXXXX
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 3
x=x
Nginx crashes in an infinite loop at src/http/ngx_http_write_filter_module.c:116
The response Nginx receives from apache is (which never comes back to the client):
HTTP/1.1 302 Moved Temporarily
Server: nginx/1.6.0
Date: Mon, 30 Jun 2014 14:44:54 GMT
Content-Type: text/plain
Content-Length: 0
Connection: keep-alive
Location: http://google.com
And after some debugging it is discovered that it only happens with POST requests and only with Content-Length: 0 on the response-header. If I add content to the body and a corresponding Content-Length in the response, it works fine. I have compiled Nginx with the version 2.8 version of modsecurity and this problem only occurs if I enable modsecurity (Detection mode only though)! However, the infinite loop is occuring in the Nginx code. I have tested both 1.7.1 and 1.6.0 and they act the same way.
To easier reproduce this I created a perl-script (attached) which can be served with netcat and sends the above response. Running it in a loop like this: while true; do perl redirect.cgi | nc -l -p 1500 ; sleep 1; done
Attachments (2)
Change History (4)
by , 10 years ago
Attachment: | redirect.cgi added |
---|
by , 10 years ago
Attachment: | nginx.conf added |
---|
comment:1 by , 10 years ago
Hello,
Have you tried to repoduce the crash without modsecurity compiled in?
comment:2 by , 10 years ago
Resolution: | → invalid |
---|---|
Status: | new → closed |
this problem only occurs if I enable modsecurity
Since you can't reproduce it without the 3rd-party module, so there's no evidence that the problem is in nginx itself. It's very easy for 3rd-party modules to break nginx by incorrect use of its internal API.
Perl script to produce response with netcat