Manipulating the body of a PUT/POST
mdounin at mdounin.ru
Thu Oct 18 09:32:36 UTC 2012
On Thu, Oct 18, 2012 at 12:02:47AM +0400, kyprizel wrote:
> ModSecurity can't handle big bodies anyway, so if the body is too big
> to fit in memory - it'll be discarded by modsecurity, so there is no
> reason to handle bodies written to the temp files.
What your code do is silent data corruption. I wouldn't try to
advocate such a behaviour with the "security" word in project's
But if don't want to handle big bodies - why you need custom
reading code at all? It would be enough to call
ngx_http_read_client_request_body() and then in post_handler walk
though r->request_body->bufs, returning an error if you'll see a
buffer which isn't in memory.
> On Wed, Oct 17, 2012 at 9:42 PM, Maxim Dounin <mdounin at mdounin.ru> wrote:
> > Hello!
> > On Wed, Oct 17, 2012 at 03:09:26PM +0400, kyprizel wrote:
> >> Maxim, we use body handling code from Valery Kholodkov's upload
> >> module(and nginx core) in Nginx ModSecurity module, can you please
> >> look at the code and check if we do it correctly?
> >> http://mod-security.svn.sourceforge.net/viewvc/mod-security/m2/trunk/nginx/modsecurity/
> > Are you kidding? ;)
> > It can't be correct without input body filtering implemented.
> > It's a hack at best, expect it to break on major changes in
> > request body reading code. Additionally, it looks like you've
> > failed to provide any logic to actually save request body for use
> > by other modules if it's large enough to don't fit into memory
> > buffer configured (that is, write request body to disk), nor any
> > logic to honor r->request_body_in_file_only.
> > The only _correct_ aproach available as of now is to call
> > ngx_http_read_client_request_body(), and work with the result once
> > post_handler is called.
> > --
> > Maxim Dounin
> > http://nginx.com/support.html
> > _______________________________________________
> > nginx-devel mailing list
> > nginx-devel at nginx.org
> > http://mailman.nginx.org/mailman/listinfo/nginx-devel
> nginx-devel mailing list
> nginx-devel at nginx.org
More information about the nginx-devel