Bug in nginx?

Maxim Dounin mdounin at mdounin.ru
Sun Apr 17 22:12:42 MSD 2011


On Sun, Apr 17, 2011 at 06:26:56PM +0100, Ian Hobson wrote:

> Hi,
> I'm still using Nginx 0.7.67 and I think I have found a minor bug.
> In my config files, for one domain I have entries like this to
> protect two directories.
> location  /secret {
>    index index.html
>    auth_basic "Please login";

This syntactically correct and defines three possible index files: 
"index.html", "auth_basic" and "Please login".

>    auth_basic_user_file  /path/to/passwordfile

Note this doesn't have ";" as well and will make config 
syntactially incorrect.  You won't be able to start nginx such 
config, but I assume this is artifact introduced during writing 
this message.

> }
> location /private {
>    auth_basic "Hello, Please login";
>    authObasic_user_file  /path/to/passwordfile;
>    if ()
>      etc
> Note the second line above has no trailing semi-colon.
> The result is that /secret is not protected (although /private is).
> The bug is that when nginx is restarted, it announces that the config file
> is valid, when it isn't, (so the problem was not detected for many months).

The problem is that config file is actually valid.  It's not 
really possible to detect such configuration errors as long as 
resulting construct is valid.

Maxim Dounin

More information about the nginx mailing list