Mercurial > hg > nginx
diff src/http/v2/ngx_http_v2.c @ 9259:81082b5521dd
Request body: body is now cleared on errors.
Previously, after errors the request body was left in a potentially
inconsistent state, with r->headers_in.content_length_n which might be
larger than buffers actually stored in r->request_body->bufs (or not
set at all, in case of HTTP/2 and HTTP/3). This can cause issues if
the request body is subsequently used during error_page handling, such
as when proxying.
Fix is to clear r->request_body->bufs if this happens, and set
r->headers_in.content_length_n to 0, much like it happens when
ngx_http_discard_request_body() is called when returning 413 from
ngx_http_core_find_config_phase() for requests with Content-Length.
| author | Maxim Dounin <mdounin@mdounin.ru> |
|---|---|
| date | Sat, 27 Apr 2024 18:21:38 +0300 |
| parents | c9550e77186c |
| children | ac5635650bc6 |
line wrap: on
line diff
--- a/src/http/v2/ngx_http_v2.c +++ b/src/http/v2/ngx_http_v2.c @@ -1106,7 +1106,11 @@ ngx_http_v2_state_read_data(ngx_http_v2_ stream->in_closed, 0); if (rc != NGX_OK && rc != NGX_AGAIN) { + stream->skip_data = 1; + r->headers_in.content_length_n = 0; + r->request_body->bufs = NULL; + ngx_http_finalize_request(r, rc); } @@ -3768,6 +3772,7 @@ ngx_http_v2_run_request(ngx_http_request "client prematurely closed stream"); r->stream->skip_data = 1; + r->headers_in.content_length_n = 0; ngx_http_finalize_request(r, NGX_HTTP_BAD_REQUEST); goto failed; @@ -4199,7 +4204,11 @@ ngx_http_v2_read_client_request_body_han rc = ngx_http_v2_process_request_body(r, NULL, 0, r->stream->in_closed, 1); if (rc != NGX_OK && rc != NGX_AGAIN) { + r->stream->skip_data = 1; + r->headers_in.content_length_n = 0; + r->request_body->bufs = NULL; + ngx_http_finalize_request(r, rc); return; } @@ -4262,6 +4271,8 @@ ngx_http_v2_read_client_request_body_han error: stream->skip_data = 1; + r->headers_in.content_length_n = 0; + r->request_body->bufs = NULL; ngx_http_finalize_request(r, NGX_HTTP_INTERNAL_SERVER_ERROR); return;