Your message dated with message-id and subject line Closing resolved bug reports has caused the Debian Bug report #1050571, regarding nginx: normalises "Status: 123 " and "Status: 123" to invalid "HTTP/1.1 123" (must be "HTTP/1.1 123 ") to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 1050571: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1050571 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: nginx Version: 1.24.0-1 Severity: normal Dear Maintainer, Test setup: -- >8 -- #!/bin/sh printf '%s\n' "Status: ${DOCUMENT_URI##*/}" 'Content-Type: text/plain' '' "${DOCUMENT_URI##*/}" -- >8 -- in /tmp/cgi and -- >8 -- server { listen 127.1.2.3:80; location / { fastcgi_pass unix:/run/fcgiwrap.socket; include /etc/nginx/fastcgi_params; fastcgi_param SCRIPT_FILENAME /tmp/cgi; } } -- >8 -- in /etc/nginx/sites-enabled/demo. Naturally, this program returns "Status: {request path without /}", with body "{request path without /}" and whatever padding to make it palatable to nginx. Now, the abridged bug (full log attached, but it's not exciting): -- >8 -- $ curl -s -vvv http://127.1.2.3/'404%20Zupa' 2>&1 | cat -A > GET /404%20Zupa HTTP/1.1^M$ < HTTP/1.1 404 Zupa^M$ < Server: nginx/1.24.0^M$ 404 Zupa$ $ curl -s -vvv http://127.1.2.3/'404%20' 2>&1 | cat -A > GET /404%20 HTTP/1.1^M$ < HTTP/1.1 404^M$ < Server: nginx/1.24.0^M$ 404 $ $ curl -s -vvv http://127.1.2.3/'404' 2>&1 | cat -A > GET /404 HTTP/1.1^M$ < HTTP/1.1 404^M$ < Server: nginx/1.24.0^M$ 404$ $ curl -s -vvv http://127.1.2.3/'40' 2>&1 | cat -A > GET /40 HTTP/1.1^M$ < HTTP/1.1 502 Bad Gateway^M$ < Server: nginx/1.24.0^M$ <html>^M$ <head><title>502 Bad Gateway</title></head>^M$ <body>^M$ <center><h1>502 Bad Gateway</h1></center>^M$ <hr><center>nginx/1.24.0</center>^M$ </body>^M$ </html>^M$ -- >8 -- (yes, I straced fcgiwrap, it doesn't mangle the Status lines). Case-wise: "404 Zupa" correct! it's a valid 404 "40" correct! it's invalid, 502ing is sensible but "404 " wrong! "404" wrong! Both are normalised by nginx to "HTTP/1.1 404", which is invalid accd'g to RFC9112 (I think that's the current standard?): https://www.rfc-editor.org/rfc/rfc9112.html#name-collected-abnf which says start-line = request-line / status-line status-code = 3DIGIT status-line = HTTP-version SP status-code SP [ reason-phrase ] Naturally, nginx is producing a status-line without the second SP, which is wrong! Repros on sid and bookworm. Best, наб -- System Information: Debian Release: trixie/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: x32 (x86_64) Foreign Architectures: amd64, i386 Kernel: Linux 6.3.0-2-amd64 (SMP w/2 CPU threads; PREEMPT) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_WARN, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages nginx depends on: ii iproute2 6.4.0-1 ii libc6 2.37-6 ii libcrypt1 1:4.4.35-1 ii libpcre2-8-0 10.42-2 ii libssl3 3.0.10-1 ii nginx-common 1.24.0-1 ii zlib1g 1:1.2.13.dfsg-1 nginx recommends no packages. nginx suggests no packages. -- no debconf information$ curl -s -vvv http://127.1.2.3/'404%20Zupa' 2>&1 | cat -A * Trying 127.1.2.3:80...$ * Connected to 127.1.2.3 (127.1.2.3) port 80 (#0)$ > GET /404%20Zupa HTTP/1.1^M$ > Host: 127.1.2.3^M$ > User-Agent: curl/7.86.0^M$ > Accept: */*^M$ > ^M$ * Mark bundle as not supporting multiuse$ < HTTP/1.1 404 Zupa^M$ < Server: nginx/1.24.0^M$ < Date: Sat, 26 Aug 2023 11:53:59 GMT^M$ < Content-Type: text/plain^M$ < Transfer-Encoding: chunked^M$ < Connection: keep-alive^M$ < ^M$ { [19 bytes data]$ * Connection #0 to host 127.1.2.3 left intact$ 404 Zupa$ $ curl -s -vvv http://127.1.2.3/'404%20' 2>&1 | cat -A * Trying 127.1.2.3:80...$ * Connected to 127.1.2.3 (127.1.2.3) port 80 (#0)$ > GET /404%20 HTTP/1.1^M$ > Host: 127.1.2.3^M$ > User-Agent: curl/7.86.0^M$ > Accept: */*^M$ > ^M$ * Mark bundle as not supporting multiuse$ < HTTP/1.1 404^M$ < Server: nginx/1.24.0^M$ < Date: Sat, 26 Aug 2023 11:54:04 GMT^M$ < Content-Type: text/plain^M$ < Transfer-Encoding: chunked^M$ < Connection: keep-alive^M$ < ^M$ { [15 bytes data]$ * Connection #0 to host 127.1.2.3 left intact$ 404 $ $ curl -s -vvv http://127.1.2.3/'404' 2>&1 | cat -A * Trying 127.1.2.3:80...$ * Connected to 127.1.2.3 (127.1.2.3) port 80 (#0)$ > GET /404 HTTP/1.1^M$ > Host: 127.1.2.3^M$ > User-Agent: curl/7.86.0^M$ > Accept: */*^M$ > ^M$ * Mark bundle as not supporting multiuse$ < HTTP/1.1 404^M$ < Server: nginx/1.24.0^M$ < Date: Sat, 26 Aug 2023 11:55:51 GMT^M$ < Content-Type: text/plain^M$ < Transfer-Encoding: chunked^M$ < Connection: keep-alive^M$ < ^M$ { [14 bytes data]$ * Connection #0 to host 127.1.2.3 left intact$ 404$ $ curl -s -vvv http://127.1.2.3/'40' 2>&1 | cat -A * Trying 127.1.2.3:80...$ * Connected to 127.1.2.3 (127.1.2.3) port 80 (#0)$ > GET /40 HTTP/1.1^M$ > Host: 127.1.2.3^M$ > User-Agent: curl/7.86.0^M$ > Accept: */*^M$ > ^M$ * Mark bundle as not supporting multiuse$ < HTTP/1.1 502 Bad Gateway^M$ < Server: nginx/1.24.0^M$ < Date: Sat, 26 Aug 2023 11:55:53 GMT^M$ < Content-Type: text/html^M$ < Content-Length: 157^M$ < Connection: keep-alive^M$ < ^M$ { [157 bytes data]$ * Connection #0 to host 127.1.2.3 left intact$ <html>^M$ <head><title>502 Bad Gateway</title></head>^M$ <body>^M$ <center><h1>502 Bad Gateway</h1></center>^M$ <hr><center>nginx/1.24.0</center>^M$ </body>^M$ </html>^M$
signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---This issue appears to be resolved, so I'm closing this bug report. Please reopen it if the problem persists. Best regards, Jan
--- End Message ---

