ngx_http_upstream_copy_allow_ranges() issue when using ModSecurity
Maxim Dounin
mdounin at mdounin.ru
Thu Dec 3 14:05:29 UTC 2015
Hello!
On Thu, Dec 03, 2015 at 12:55:15PM +0200, Kipras Mancevičius wrote:
> Hey everyone,
>
> looks like nginx versions >= 1.7.7 have issues with the modsecurity module,
> because of the new proxy_force_ranges directive. The problem is that
> modsecurity calls ngx_http_upstream_header_t->copy_handler() for all
> ngx_http_upstream_headers_in headers specified in ngx_http_upstream.
>
> And in ngx_http_upstream_copy_allow_ranges() the check for that
> configuration value [1] results in a segfault, because r->upstream->conf is
> probably NULL at that point, which causes nginx to crash.
>
> One way to work around this is to set "proxy_force_ranges" to on in nginx
> config. However another simple fix is to check if r->upstream->conf exists,
> before accessing r->upstream->conf->force_ranges. And this shouldn't change
> the behavior of nginx (which changing the value of this flag does).
>
> More info: see @driehuls comment in
> https://github.com/SpiderLabs/ModSecurity/issues/823
[...]
What ModSecurity does looks like a hack abusing part of the
upstream module, and the segmentation fault is an expected result
of the approach taken. ModSecurity module should be rewritten to
avoid the hack, or the hack should be updated to the changes in
nginx. In the latter case more segfaults are expected in the
future.
Just in case, here is a (closed invalid) ticket in nginx trac
about this:
https://trac.nginx.org/nginx/ticket/690
--
Maxim Dounin
http://nginx.org/
More information about the nginx-devel
mailing list