Observed inconsistency in HTTP headers (headers_in.user)
Igor Sysoev
igor at sysoev.ru
Sun May 22 09:28:21 MSD 2011
On Sat, May 21, 2011 at 04:27:29PM -0400, Anthony Ryan wrote:
> I recently began development of a HTTP Auth module to make use of an
> existing user authentication backend my company uses, and encountered
> something I believe to be a bug in Nginx.
>
> Observation was that given ngx_http_request_t *r and an auth of
> "username" & "password" (respectively).
>
> r->headers_in.user.data was equal to "username:password"
> r->headers_in.user.len was equal to 8 for username
>
> I believe that this is a bug and that user.data was intended to be
> truncated to the "username" alone.
>
> The tested version is 1.0.0
> The development environment was Ubuntu 11.04
> Configured from source with the following options
>
> ./configure \
> --sbin-path=/usr/local/sbin/ \
> --conf-path=/usr/local/etc/nginx/nginx.conf \
> --with-pcre \
> --with-http_ssl_module \
> --with-http_gzip_static_module \
> --without-http_charset_module \
> --without-http_ssi_module \
> --without-http_userid_module \
> --without-http_autoindex_module \
> --without-http_geo_module \
> --without-http_map_module \
> --without-http_referer_module \
> --without-http_proxy_module \
> --without-http_memcached_module \
> --without-http_limit_zone_module \
> --without-http_limit_req_module \
> --without-http_empty_gif_module \
> --without-http_browser_module \
> --without-http_upstream_ip_hash_module \
> --add-module=../custom_auth
>
> If I did not provide enough relevant information or I am in some way
> mistaken of the nature of this my apologies, this is only my second
> day working in C.
"username:password" is a string got after Authorization header has been
converted from base64. nginx does not try to copy strings or to make
them zero terminated if possible.
--
Igor Sysoev
More information about the nginx-devel
mailing list