Manipulating the body of a PUT/POST

kyprizel kyprizel at gmail.com
Wed Oct 17 20:02:47 UTC 2012


ModSecurity can't handle big bodies anyway, so if the body is too big
to fit in memory - it'll be discarded by modsecurity, so there is no
reason to handle bodies written to the temp files.

On Wed, Oct 17, 2012 at 9:42 PM, Maxim Dounin <mdounin at mdounin.ru> wrote:
> Hello!
>
> On Wed, Oct 17, 2012 at 03:09:26PM +0400, kyprizel wrote:
>
>> Maxim, we use body handling code from Valery Kholodkov's upload
>> module(and nginx core) in Nginx ModSecurity module, can you please
>> look at the code and check if we do it correctly?
>> http://mod-security.svn.sourceforge.net/viewvc/mod-security/m2/trunk/nginx/modsecurity/
>
> Are you kidding?  ;)
>
> It can't be correct without input body filtering implemented.
> It's a hack at best, expect it to break on major changes in
> request body reading code.  Additionally, it looks like you've
> failed to provide any logic to actually save request body for use
> by other modules if it's large enough to don't fit into memory
> buffer configured (that is, write request body to disk), nor any
> logic to honor r->request_body_in_file_only.
>
> The only _correct_ aproach available as of now is to call
> ngx_http_read_client_request_body(), and work with the result once
> post_handler is called.
>
> --
> Maxim Dounin
> http://nginx.com/support.html
>
> _______________________________________________
> nginx-devel mailing list
> nginx-devel at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx-devel



More information about the nginx-devel mailing list