[nginx] HTTP/2: discard remaining request body after redirect.
Sergey Kandaurov
pluknet at nginx.com
Mon Aug 19 14:45:36 UTC 2019
details: https://hg.nginx.org/nginx/rev/9f1f9d6e056a
branches:
changeset: 7561:9f1f9d6e056a
user: Sergey Kandaurov <pluknet at nginx.com>
date: Mon Aug 19 15:16:06 2019 +0300
description:
HTTP/2: discard remaining request body after redirect.
Previously, if unbuffered request body reading wasn't finished before
the request was redirected to a different location using error_page
or X-Accel-Redirect, and the request body is read again, this could
lead to disastrous effects, such as a duplicate post_handler call or
"http request count is zero" alert followed by a segmentation fault.
This happened in the following configuration (ticket #1819):
location / {
proxy_request_buffering off;
proxy_pass http://bad;
proxy_intercept_errors on;
error_page 502 = /error;
}
location /error {
proxy_pass http://backend;
}
diffstat:
src/http/v2/ngx_http_v2.c | 11 +++++++++--
1 files changed, 9 insertions(+), 2 deletions(-)
diffs (28 lines):
diff -r 2432a687e789 -r 9f1f9d6e056a src/http/v2/ngx_http_v2.c
--- a/src/http/v2/ngx_http_v2.c Fri Aug 16 18:16:21 2019 +0300
+++ b/src/http/v2/ngx_http_v2.c Mon Aug 19 15:16:06 2019 +0300
@@ -947,6 +947,15 @@ ngx_http_v2_state_read_data(ngx_http_v2_
return ngx_http_v2_state_skip_padded(h2c, pos, end);
}
+ r = stream->request;
+
+ if (r->reading_body && !r->request_body_no_buffering) {
+ ngx_log_debug0(NGX_LOG_DEBUG_HTTP, h2c->connection->log, 0,
+ "skipping http2 DATA frame");
+
+ return ngx_http_v2_state_skip_padded(h2c, pos, end);
+ }
+
size = end - pos;
if (size >= h2c->state.length) {
@@ -954,8 +963,6 @@ ngx_http_v2_state_read_data(ngx_http_v2_
stream->in_closed = h2c->state.flags & NGX_HTTP_V2_END_STREAM_FLAG;
}
- r = stream->request;
-
if (r->request_body) {
rc = ngx_http_v2_process_request_body(r, pos, size, stream->in_closed);
More information about the nginx-devel
mailing list