Alias regex use causing core dump as of nginx 1.7.1

Maxim Dounin mdounin at mdounin.ru
Mon Jul 27 05:47:12 UTC 2015


Hello!

On Sun, Jul 26, 2015 at 10:25:19AM -0400, Per Hansson wrote:

> Hi, after upgrading from the v1.6.3 to v1.8.0 stable branch an alias I used
> for Roundcubemail no longer works.
> I traced the issue back to a probable change made in nginx v1.7.1:
> "Bugfix: the "alias" directive used inside a location given by a regular
> expression worked incorrectly if the "if" or "limit_except" directives were
> used."
> 
> In version 1.6.3 and 1.7.0 the following works fine:
>         ## Roundcubemail for Remi repository
>         location ~ ^/mail/(.+\.php)$ {
>            alias /usr/share/roundcubemail/$1;
>            client_max_body_size 5M;
>            fastcgi_pass _php;
>         }
>         location ~ /mail {
>            alias /usr/share/roundcubemail/;
>            client_max_body_size 5M;
>            try_files $uri $uri/ /index.php;
>         }
> 
> But in v1.7.1 it causes nginx to core dump if I visit the url
> domain.com/mail and if I visit domain.com/mail/ I get taken to the front
> page.
> 
> [notice] 26221#0: signal 17 (SIGCHLD) received
> [alert] 26221#0: worker process 26223 exited on signal 11 (core dumped)
> [notice] 26221#0: start worker process 26231
> [notice] 26221#0: signal 29 (SIGIO) received

Thanks, it was broken by this commit:

http://hg.nginx.org/nginx/rev/c985d90a8d1f

The patch below will fix the segfault.  Note though, that the 
result will probably won't work for you.  Proper way to fix this 
would be to don't use regex location for /mail, but use a prefix 
one instead, i.e.:

    location /mail {
        alias /usr/share/roundcubemail/;
        try_files $uri $uri/ /index.php;
    }

(Note: no "~".)

The configuration with regex location previously worked by 
coincidence - in try_files nginx used to do string comparison with 
regular expression specified, and this happened to produce 
sensible result in your case.

Patch:

# HG changeset patch
# User Maxim Dounin <mdounin at mdounin.ru>
# Date 1437975869 -10800
#      Mon Jul 27 08:44:29 2015 +0300
# Node ID cb8f6e9d9943e2c8bd332443c0018a40353288fe
# Parent  d34cda011a8ed968c5f2c4469ce43b7e7f0afda6
Fixed segfault with try_files introduced by c985d90a8d1f.

If alias was used in a location given by a regular expression,
nginx used to do wrong thing in try_files if a location name (i.e.,
regular expression) was an exact prefix of URI.  The following
configuration triggered a segmentation fault on a request to "/mail":

    location ~ /mail {
        alias /path/to/directory;
        try_files $uri =404;
    }

Reported by Per Hansson.

diff --git a/src/http/ngx_http_core_module.c b/src/http/ngx_http_core_module.c
--- a/src/http/ngx_http_core_module.c
+++ b/src/http/ngx_http_core_module.c
@@ -1239,7 +1239,9 @@ ngx_http_core_try_files_phase(ngx_http_r
 
             *e.pos = '\0';
 
-            if (alias && ngx_strncmp(name, clcf->name.data, alias) == 0) {
+            if (alias && alias != NGX_MAX_SIZE_T_VALUE
+                && ngx_strncmp(name, clcf->name.data, alias) == 0)
+            {
                 ngx_memmove(name, name + alias, len - alias);
                 path.len -= alias;
             }

-- 
Maxim Dounin
http://nginx.org/



More information about the nginx mailing list