Manipulating the body of a PUT/POST

Maxim Dounin mdounin at mdounin.ru
Thu Oct 18 09:32:36 UTC 2012 

Hello!

On Thu, Oct 18, 2012 at 12:02:47AM +0400, kyprizel wrote:

> ModSecurity can't handle big bodies anyway, so if the body is too big
> to fit in memory - it'll be discarded by modsecurity, so there is no
> reason to handle bodies written to the temp files.

What your code do is silent data corruption.  I wouldn't try to 
advocate such a behaviour with the "security" word in project's 
name...  :)

But if don't want to handle big bodies - why you need custom 
reading code at all?  It would be enough to call 
ngx_http_read_client_request_body() and then in post_handler walk 
though r->request_body->bufs, returning an error if you'll see a 
buffer which isn't in memory.

> On Wed, Oct 17, 2012 at 9:42 PM, Maxim Dounin <mdounin at mdounin.ru> wrote:
> > Hello!
> >
> > On Wed, Oct 17, 2012 at 03:09:26PM +0400, kyprizel wrote:
> >
> >> Maxim, we use body handling code from Valery Kholodkov's upload
> >> module(and nginx core) in Nginx ModSecurity module, can you please
> >> look at the code and check if we do it correctly?
> >> http://mod-security.svn.sourceforge.net/viewvc/mod-security/m2/trunk/nginx/modsecurity/
> >
> > Are you kidding?  ;)
> >
> > It can't be correct without input body filtering implemented.
> > It's a hack at best, expect it to break on major changes in
> > request body reading code.  Additionally, it looks like you've
> > failed to provide any logic to actually save request body for use
> > by other modules if it's large enough to don't fit into memory
> > buffer configured (that is, write request body to disk), nor any
> > logic to honor r->request_body_in_file_only.
> >
> > The only _correct_ aproach available as of now is to call
> > ngx_http_read_client_request_body(), and work with the result once
> > post_handler is called.
> >
> > --
> > Maxim Dounin
> > http://nginx.com/support.html
> >
> > _______________________________________________
> > nginx-devel mailing list
> > nginx-devel at nginx.org
> > http://mailman.nginx.org/mailman/listinfo/nginx-devel
> 
> _______________________________________________
> nginx-devel mailing list
> nginx-devel at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx-devel

-- 
Maxim Dounin
http://nginx.com/support.html

More information about the nginx-devel mailing list