Manipulating the body of a PUT/POST

Maxim Dounin mdounin at mdounin.ru
Wed Oct 17 17:42:35 UTC 2012


Hello!

On Wed, Oct 17, 2012 at 03:09:26PM +0400, kyprizel wrote:

> Maxim, we use body handling code from Valery Kholodkov's upload
> module(and nginx core) in Nginx ModSecurity module, can you please
> look at the code and check if we do it correctly?
> http://mod-security.svn.sourceforge.net/viewvc/mod-security/m2/trunk/nginx/modsecurity/

Are you kidding?  ;)

It can't be correct without input body filtering implemented.  
It's a hack at best, expect it to break on major changes in 
request body reading code.  Additionally, it looks like you've 
failed to provide any logic to actually save request body for use 
by other modules if it's large enough to don't fit into memory 
buffer configured (that is, write request body to disk), nor any 
logic to honor r->request_body_in_file_only.

The only _correct_ aproach available as of now is to call 
ngx_http_read_client_request_body(), and work with the result once 
post_handler is called.

-- 
Maxim Dounin
http://nginx.com/support.html



More information about the nginx-devel mailing list