fix error message for auth basic module.

Maxim Dounin mdounin at
Tue Feb 24 16:34:33 UTC 2015


On Tue, Feb 24, 2015 at 06:36:47PM +0900, Toshikuni Fukaya wrote:

> Hi,
> I found a little bug on error logging for ngx_http_auth_basic_module.
> My config is following:
> location / {
>   set $file passwd;
>   auth_basic "closed";
>   auth_basic_user_file /etc/nginx/$file;
> }
> When access to the location with wrong user or password,
> nginx logged a user file name and it contains null character.
> The reason of this is using format '%V' to print user_file.
> I think it is a bug because '%s' is used for the variable in other
> positions.

Normally, variables which are nginx strings and at the same time 
point to files do have a NULL character at the end (because it's 
required to work with system calls), but it doesn't included in 
the len field.  That is, one can use either %s with 
or %V with &user_file.  The %s variant was used in syscall-related 
messages (to make sure to print the name used by syscalls), and %V 
in normal code.

In this particular case the problem seems to be introduced by
the revision a6954ce88b80 ( 
during conversion to complex values.  Previously, the invariant 
outlined above was held, but after a6954ce88b80 if auth_basic_user_file 
contains variables, then user_files.len includes a NULL character.

While using %s in all cases as in your patch will fix the problem, 
I would rather prefer to see the invariant restored.

Maxim Dounin

More information about the nginx-devel mailing list