clear_header call may result in malrformed request passed to the origin #176

Closed
usirsiwal opened this Issue Nov 14, 2012 · 9 comments

Comments

Projects
None yet
2 participants

Issue
If the lua clear header is used to clear 21st header along with proxy_pass, we may send ":" as a header.

This issue also existed in headers_more module 0.17rc1 and has been fixed in headers_more module version 0.18-3.

nginx -V
nginx version: nginx/1.2.5
built by gcc 4.6.1 (Ubuntu/Linaro 4.6.1-9ubuntu3)
configure arguments: --add-module=../lua-nginx-module --with-debug --prefix=/home/umesh/nginx/build

Nginx Lua Module#
HEAD of the git repo. Although this problem has existed with older versions as well

Nginx configuration:

server {
    listen       80;
    server_name  localhost;

    rewrite_by_lua 'ngx.req.clear_header("R")';
    location / {
    proxy_pass http://www.google.com;
    }
}

Curl Command:
curl -vvv http://localhost/ -H 'A: a' -H 'B: b' -H 'C: c' -H 'D: d' -H'E: e' -H 'F: f' -H 'G: g' -H 'H: h' -H'I: i' -H 'J: j' -H 'K: k' -H 'L: l' -H 'M: m' -H 'N: n' -H 'O: o' -H 'P: p' -H 'Q: q' -H 'R: r' > /dev/null

Headers sent upstream:
GET / HTTP/1.0
Host: www.google.com
Connection: close
User-Agent: curl/7.21.6 (x86_64-pc-linux-gnu) libcurl/7.21.6 OpenSSL/1.0.0e zlib/1.2.3.4 libidn/1.22 librtmp/2.3
Accept: /
A: a
B: b
C: c
D: d
E: e
F: f
G: g
H: h
I: i
J: j
K: k
L: l
M: m
N: n
O: o
P: p
Q: q
:

Note the last empty ":"

Owner

agentzh commented Nov 14, 2012

Thank you for the report! I've already reproduced it on my side and
I've already seen the real cause. I'll fix it in the next few hours or
so :)

Best regards,
-agentzh

Thanks a lot for quick response agentzh.

Isn't it like 3:00am where you live? :)

Owner

agentzh commented Nov 14, 2012

Hello!

On Wed, Nov 14, 2012 at 1:50 PM, Umesh Sirsiwal notifications@github.comwrote:

Thanks a lot for quick response agentzh.

Isn't it like 3:00am where you live? :)

No, it is 14:36 pm here. I'm living in San Francisco :)

Best regards,
-agentzh

I was mistaken.

agentzh added a commit that referenced this issue Nov 15, 2012

bugfix: ngx.req.clear_header() would result in memory invalid reads w…
…hen removing the 21st request headers. thanks Umesh Sirsiwal for reporting this issue in github issue #176.
Owner

agentzh commented Nov 15, 2012

I think I've fixed this in ngx_lua's master. Could you try out the new master HEAD?

Thanks!

Owner

agentzh commented Nov 15, 2012

This issue also exists in ngx_headers_more's git master HEAD. I'm backporting the fix to it.

agentzh added a commit to openresty/headers-more-nginx-module that referenced this issue Nov 15, 2012

bugfix: more_clear_input_headers would result in memory invalid reads…
… when removing the 21st request headers. thanks Umesh Sirsiwal for reporting this issue as openresty/lua-nginx-module#176.
Owner

agentzh commented Nov 15, 2012

just fixed this in ngx_headers_more's master HEAD as well :)

Just tested both ngx_lua and headers_more. Both look good.

Thanks for fast turn around.

Owner

agentzh commented Jan 21, 2013

Thank you for the feedback! Consider it resolved :)

@agentzh agentzh closed this Jan 21, 2013

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment