Manipulating the body of a PUT/POST
mdounin at mdounin.ru
Wed Oct 17 17:42:35 UTC 2012
On Wed, Oct 17, 2012 at 03:09:26PM +0400, kyprizel wrote:
> Maxim, we use body handling code from Valery Kholodkov's upload
> module(and nginx core) in Nginx ModSecurity module, can you please
> look at the code and check if we do it correctly?
Are you kidding? ;)
It can't be correct without input body filtering implemented.
It's a hack at best, expect it to break on major changes in
request body reading code. Additionally, it looks like you've
failed to provide any logic to actually save request body for use
by other modules if it's large enough to don't fit into memory
buffer configured (that is, write request body to disk), nor any
logic to honor r->request_body_in_file_only.
The only _correct_ aproach available as of now is to call
ngx_http_read_client_request_body(), and work with the result once
post_handler is called.
More information about the nginx-devel