Manipulating the body of a PUT/POST
Maxim Dounin
mdounin at mdounin.ru
Wed Oct 17 17:42:35 UTC 2012
Hello!
On Wed, Oct 17, 2012 at 03:09:26PM +0400, kyprizel wrote:
> Maxim, we use body handling code from Valery Kholodkov's upload
> module(and nginx core) in Nginx ModSecurity module, can you please
> look at the code and check if we do it correctly?
> http://mod-security.svn.sourceforge.net/viewvc/mod-security/m2/trunk/nginx/modsecurity/
Are you kidding? ;)
It can't be correct without input body filtering implemented.
It's a hack at best, expect it to break on major changes in
request body reading code. Additionally, it looks like you've
failed to provide any logic to actually save request body for use
by other modules if it's large enough to don't fit into memory
buffer configured (that is, write request body to disk), nor any
logic to honor r->request_body_in_file_only.
The only _correct_ aproach available as of now is to call
ngx_http_read_client_request_body(), and work with the result once
post_handler is called.
--
Maxim Dounin
http://nginx.com/support.html
More information about the nginx-devel
mailing list