fix error message for auth basic module.

Toshikuni Fukaya toshikuni-fukaya at cybozu.co.jp
Wed Feb 25 02:19:22 UTC 2015


Hi,

On 2015/02/25 1:34, Maxim Dounin wrote:
> Hello!
>
> On Tue, Feb 24, 2015 at 06:36:47PM +0900, Toshikuni Fukaya wrote:
>
>> Hi,
>>
>> I found a little bug on error logging for ngx_http_auth_basic_module.
>> My config is following:
>>
>> location / {
>>    set $file passwd;
>>    auth_basic "closed";
>>    auth_basic_user_file /etc/nginx/$file;
>> }
>>
>> When access to the location with wrong user or password,
>> nginx logged a user file name and it contains null character.
>>
>> The reason of this is using format '%V' to print user_file.
>> I think it is a bug because '%s' is used for the variable in other
>> positions.
>
> Normally, variables which are nginx strings and at the same time
> point to files do have a NULL character at the end (because it's
> required to work with system calls), but it doesn't included in
> the len field.  That is, one can use either %s with user_file.data
> or %V with &user_file.  The %s variant was used in syscall-related
> messages (to make sure to print the name used by syscalls), and %V
> in normal code.
>
> In this particular case the problem seems to be introduced by
> the revision a6954ce88b80 (http://hg.nginx.org/nginx/rev/a6954ce88b80)
> during conversion to complex values.  Previously, the invariant
> outlined above was held, but after a6954ce88b80 if auth_basic_user_file
> contains variables, then user_files.len includes a NULL character.
>
> While using %s in all cases as in your patch will fix the problem,
> I would rather prefer to see the invariant restored.
>

I understand the real reason of the problem.
To solve this, I should add a null char to ngx_str_t.data but should not 
add a length of such null char to ngx_str_t.len. ok?
If true, will I need to fix ngx_http_script_done and 
ngx_http_script_add_copy_code not to add a length of null char?

Thanks,
Toshikuni Fukaya



More information about the nginx-devel mailing list