fix error message for auth basic module.

Maxim Dounin mdounin at mdounin.ru
Tue Feb 24 16:34:33 UTC 2015


Hello!

On Tue, Feb 24, 2015 at 06:36:47PM +0900, Toshikuni Fukaya wrote:

> Hi,
> 
> I found a little bug on error logging for ngx_http_auth_basic_module.
> My config is following:
> 
> location / {
>   set $file passwd;
>   auth_basic "closed";
>   auth_basic_user_file /etc/nginx/$file;
> }
> 
> When access to the location with wrong user or password,
> nginx logged a user file name and it contains null character.
> 
> The reason of this is using format '%V' to print user_file.
> I think it is a bug because '%s' is used for the variable in other
> positions.

Normally, variables which are nginx strings and at the same time 
point to files do have a NULL character at the end (because it's 
required to work with system calls), but it doesn't included in 
the len field.  That is, one can use either %s with user_file.data 
or %V with &user_file.  The %s variant was used in syscall-related 
messages (to make sure to print the name used by syscalls), and %V 
in normal code.

In this particular case the problem seems to be introduced by
the revision a6954ce88b80 (http://hg.nginx.org/nginx/rev/a6954ce88b80) 
during conversion to complex values.  Previously, the invariant 
outlined above was held, but after a6954ce88b80 if auth_basic_user_file 
contains variables, then user_files.len includes a NULL character.

While using %s in all cases as in your patch will fix the problem, 
I would rather prefer to see the invariant restored.

-- 
Maxim Dounin
http://nginx.org/



More information about the nginx-devel mailing list