status-line trailing SP is missing ?

Maxim Dounin mdounin at mdounin.ru
Thu Aug 31 20:13:21 UTC 2023 

Hello!

On Thu, Aug 31, 2023 at 03:45:18PM +0400, Sergey Kandaurov wrote:

> > On 29 Aug 2023, at 08:14, Maxim Dounin <mdounin at mdounin.ru> wrote:
> > 
> > Hello!
> > 
> > On Sat, Aug 26, 2023 at 04:21:07PM +0200, Jérémy Lal wrote:
> > 
> >> Hi,
> >> 
> >> https://bugs.debian.org/1050571
> >> reports that the Status line doesn't always end with space, which seems
> >> contradictory to RFC9112 which states:
> >> "A server MUST send the space that separates the status-code from the
> >> reason-phrase even when the reason-phrase is absent (i.e., the status-line
> >> would end with the space)."
> >> 
> >> Is it a documented nginx 1.24.0 behavior ?
> > 
> > Interesting.
> > 
> > As you can see from the report referenced, nginx returns in the 
> > HTTP status what is sent by the FastCGI application in the 
> > "Status" response header.
> > 
> > [..]
> > 
> > Summing the above, I tend to think that it is generally a bad idea 
> > to use Status header without a reason-phrase, as it is going to 
> > result in missing SP sooner or later.  At least if you do care 
> > about missing SP in the status line (AFAIK, it causes no practical 
> > issues, though I'm not really tested).
> 
> Agree.
> 
> > 
> > As for the nginx behaviour, I don't think we want to try to 
> > implement custom parsing for the Status header to preserve 
> > trailing SP if it's present.  We can, however, consider using 
> > only the status code from such Status headers, so nginx will 
> > provide reason phrase by itself.  
> > 
> > Something like this should do the trick:
> > 
> > # HG changeset patch
> > # User Maxim Dounin <mdounin at mdounin.ru>
> > # Date 1693282407 -10800
> > #      Tue Aug 29 07:13:27 2023 +0300
> > # Node ID 10aec7047ed8c8e429e8e9b9d676a83751899bc6
> > # Parent  44536076405cf79ebdd82a6a0ab27bb3aed86b04
> > Upstream: fixed handling of Status headers without reason-phrase.
> > 
> > Status header with an empty reason-phrase, such as "Status: 404 ", is
> > valid per CGI specification, but looses the trailing space during parsing.
> > Currently, this results in "HTTP/1.1 404" HTTP status line in the response,
> > which violates HTTP specification due to missing trailing space.
> > 
> > With this change, only the status code is used from such short Status
> > header lines, so nginx will generate status line itself, with the space
> > and appropriate reason phrase if available.
> > 
> > Reported at:
> > https://mailman.nginx.org/pipermail/nginx/2023-August/EX7G4JUUHJWJE5UOAZMO5UD6OJILCYGX.html
> > 
> > diff --git a/src/http/modules/ngx_http_fastcgi_module.c b/src/http/modules/ngx_http_fastcgi_module.c
> > --- a/src/http/modules/ngx_http_fastcgi_module.c
> > +++ b/src/http/modules/ngx_http_fastcgi_module.c
> > @@ -2048,7 +2048,10 @@ ngx_http_fastcgi_process_header(ngx_http
> >                     }
> > 
> >                     u->headers_in.status_n = status;
> > -                    u->headers_in.status_line = *status_line;
> > +
> > +                    if (status_line->len > 3) {
> > +                        u->headers_in.status_line = *status_line;
> > +                    }
> > 
> >                 } else if (u->headers_in.location) {
> >                     u->headers_in.status_n = 302;
> > diff --git a/src/http/modules/ngx_http_scgi_module.c b/src/http/modules/ngx_http_scgi_module.c
> > --- a/src/http/modules/ngx_http_scgi_module.c
> > +++ b/src/http/modules/ngx_http_scgi_module.c
> > @@ -1153,7 +1153,10 @@ ngx_http_scgi_process_header(ngx_http_re
> >                 }
> > 
> >                 u->headers_in.status_n = status;
> > -                u->headers_in.status_line = *status_line;
> > +
> > +                if (status_line->len > 3) {
> > +                    u->headers_in.status_line = *status_line;
> > +                }
> > 
> >             } else if (u->headers_in.location) {
> >                 u->headers_in.status_n = 302;
> > diff --git a/src/http/modules/ngx_http_uwsgi_module.c b/src/http/modules/ngx_http_uwsgi_module.c
> > --- a/src/http/modules/ngx_http_uwsgi_module.c
> > +++ b/src/http/modules/ngx_http_uwsgi_module.c
> > @@ -1381,7 +1381,10 @@ ngx_http_uwsgi_process_header(ngx_http_r
> >                 }
> > 
> >                 u->headers_in.status_n = status;
> > -                u->headers_in.status_line = *status_line;
> > +
> > +                if (status_line->len > 3) {
> > +                    u->headers_in.status_line = *status_line;
> > +                }
> > 
> >             } else if (u->headers_in.location) {
> >                 u->headers_in.status_n = 302;
> > 
> > 
> 
> After discussion in the adjacent thread,
> I think the change is fine.

Pushed to http://mdounin.ru/hg/nginx, thanks for the review.

-- 
Maxim Dounin
http://mdounin.ru/

More information about the nginx mailing list