ngx_http_upstream_copy_allow_ranges() issue when using ModSecurity

Maxim Dounin mdounin at mdounin.ru
Thu Dec 3 14:05:29 UTC 2015


Hello!

On Thu, Dec 03, 2015 at 12:55:15PM +0200, Kipras Mancevičius wrote:

> Hey everyone,
> 
> looks like nginx versions >= 1.7.7 have issues with the modsecurity module,
> because of the new proxy_force_ranges directive. The problem is that
> modsecurity calls ngx_http_upstream_header_t->copy_handler() for all
> ngx_http_upstream_headers_in headers specified in ngx_http_upstream.
> 
> And in ngx_http_upstream_copy_allow_ranges() the check for that
> configuration value [1] results in a segfault, because r->upstream->conf is
> probably NULL at that point, which causes nginx to crash.
> 
> One way to work around this is to set "proxy_force_ranges" to on in nginx
> config. However another simple fix is to check if r->upstream->conf exists,
> before accessing r->upstream->conf->force_ranges. And this shouldn't change
> the behavior of nginx (which changing the value of this flag does).
> 
> More info: see @driehuls comment in
> https://github.com/SpiderLabs/ModSecurity/issues/823

[...]

What ModSecurity does looks like a hack abusing part of the 
upstream module, and the segmentation fault is an expected result 
of the approach taken.  ModSecurity module should be rewritten to 
avoid the hack, or the hack should be updated to the changes in 
nginx.  In the latter case more segfaults are expected in the 
future.

Just in case, here is a (closed invalid) ticket in nginx trac 
about this:

https://trac.nginx.org/nginx/ticket/690

-- 
Maxim Dounin
http://nginx.org/



More information about the nginx-devel mailing list