Manipulating the body of a PUT/POST
kyprizel
kyprizel at gmail.com
Thu Oct 18 12:36:05 UTC 2012
1. we can limit request body size in config - 8Mb is enought in most cases.
2. modsecurity shouldn't inspect all requests.
3. ngx_http_read_client_request_body returns 64/128Kb only, reading to
memory allows us to handle much more,
of course it should be changed for use of body inspection interface,
but there is no ETA and parse temporary files isn't a good solution at
the moment.
On Thu, Oct 18, 2012 at 1:32 PM, Maxim Dounin <mdounin at mdounin.ru> wrote:
> Hello!
>
> On Thu, Oct 18, 2012 at 12:02:47AM +0400, kyprizel wrote:
>
>> ModSecurity can't handle big bodies anyway, so if the body is too big
>> to fit in memory - it'll be discarded by modsecurity, so there is no
>> reason to handle bodies written to the temp files.
>
> What your code do is silent data corruption. I wouldn't try to
> advocate such a behaviour with the "security" word in project's
> name... :)
>
> But if don't want to handle big bodies - why you need custom
> reading code at all? It would be enough to call
> ngx_http_read_client_request_body() and then in post_handler walk
> though r->request_body->bufs, returning an error if you'll see a
> buffer which isn't in memory.
>
>> On Wed, Oct 17, 2012 at 9:42 PM, Maxim Dounin <mdounin at mdounin.ru> wrote:
>> > Hello!
>> >
>> > On Wed, Oct 17, 2012 at 03:09:26PM +0400, kyprizel wrote:
>> >
>> >> Maxim, we use body handling code from Valery Kholodkov's upload
>> >> module(and nginx core) in Nginx ModSecurity module, can you please
>> >> look at the code and check if we do it correctly?
>> >> http://mod-security.svn.sourceforge.net/viewvc/mod-security/m2/trunk/nginx/modsecurity/
>> >
>> > Are you kidding? ;)
>> >
>> > It can't be correct without input body filtering implemented.
>> > It's a hack at best, expect it to break on major changes in
>> > request body reading code. Additionally, it looks like you've
>> > failed to provide any logic to actually save request body for use
>> > by other modules if it's large enough to don't fit into memory
>> > buffer configured (that is, write request body to disk), nor any
>> > logic to honor r->request_body_in_file_only.
>> >
>> > The only _correct_ aproach available as of now is to call
>> > ngx_http_read_client_request_body(), and work with the result once
>> > post_handler is called.
>> >
>> > --
>> > Maxim Dounin
>> > http://nginx.com/support.html
>> >
>> > _______________________________________________
>> > nginx-devel mailing list
>> > nginx-devel at nginx.org
>> > http://mailman.nginx.org/mailman/listinfo/nginx-devel
>>
>> _______________________________________________
>> nginx-devel mailing list
>> nginx-devel at nginx.org
>> http://mailman.nginx.org/mailman/listinfo/nginx-devel
>
> --
> Maxim Dounin
> http://nginx.com/support.html
>
> _______________________________________________
> nginx-devel mailing list
> nginx-devel at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx-devel
More information about the nginx-devel
mailing list