Manipulating the body of a PUT/POST
kyprizel at gmail.com
Wed Oct 17 20:02:47 UTC 2012
ModSecurity can't handle big bodies anyway, so if the body is too big
to fit in memory - it'll be discarded by modsecurity, so there is no
reason to handle bodies written to the temp files.
On Wed, Oct 17, 2012 at 9:42 PM, Maxim Dounin <mdounin at mdounin.ru> wrote:
> On Wed, Oct 17, 2012 at 03:09:26PM +0400, kyprizel wrote:
>> Maxim, we use body handling code from Valery Kholodkov's upload
>> module(and nginx core) in Nginx ModSecurity module, can you please
>> look at the code and check if we do it correctly?
> Are you kidding? ;)
> It can't be correct without input body filtering implemented.
> It's a hack at best, expect it to break on major changes in
> request body reading code. Additionally, it looks like you've
> failed to provide any logic to actually save request body for use
> by other modules if it's large enough to don't fit into memory
> buffer configured (that is, write request body to disk), nor any
> logic to honor r->request_body_in_file_only.
> The only _correct_ aproach available as of now is to call
> ngx_http_read_client_request_body(), and work with the result once
> post_handler is called.
> Maxim Dounin
> nginx-devel mailing list
> nginx-devel at nginx.org
More information about the nginx-devel