Your message dated 
with message-id 
and subject line Closing resolved bug reports
has caused the Debian Bug report #1050571,
regarding nginx: normalises "Status: 123 " and "Status: 123" to invalid 
"HTTP/1.1 123" (must be "HTTP/1.1 123 ")
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1050571: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1050571
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: nginx
Version: 1.24.0-1
Severity: normal

Dear Maintainer,

Test setup:
-- >8 --
#!/bin/sh
printf '%s\n' "Status: ${DOCUMENT_URI##*/}" 'Content-Type: text/plain' '' 
"${DOCUMENT_URI##*/}"
-- >8 --
in /tmp/cgi and
-- >8 --
server {
        listen 127.1.2.3:80;
        location / {
                fastcgi_pass unix:/run/fcgiwrap.socket;
                include /etc/nginx/fastcgi_params;
                fastcgi_param SCRIPT_FILENAME /tmp/cgi;
        }
}
-- >8 --
in /etc/nginx/sites-enabled/demo.

Naturally, this program returns "Status: {request path without /}",
with body "{request path without /}" and whatever padding to make
it palatable to nginx.

Now, the abridged bug (full log attached, but it's not exciting):
-- >8 --
$ curl -s -vvv http://127.1.2.3/'404%20Zupa' 2>&1 | cat -A
> GET /404%20Zupa HTTP/1.1^M$
< HTTP/1.1 404 Zupa^M$
< Server: nginx/1.24.0^M$
404 Zupa$

$ curl -s -vvv http://127.1.2.3/'404%20' 2>&1 | cat -A
> GET /404%20 HTTP/1.1^M$
< HTTP/1.1 404^M$
< Server: nginx/1.24.0^M$
404 $

$ curl -s -vvv http://127.1.2.3/'404' 2>&1 | cat -A
> GET /404 HTTP/1.1^M$
< HTTP/1.1 404^M$
< Server: nginx/1.24.0^M$
404$

$ curl -s -vvv http://127.1.2.3/'40' 2>&1 | cat -A
> GET /40 HTTP/1.1^M$
< HTTP/1.1 502 Bad Gateway^M$
< Server: nginx/1.24.0^M$
<html>^M$
<head><title>502 Bad Gateway</title></head>^M$
<body>^M$
<center><h1>502 Bad Gateway</h1></center>^M$
<hr><center>nginx/1.24.0</center>^M$
</body>^M$
</html>^M$
-- >8 --
(yes, I straced fcgiwrap, it doesn't mangle the Status lines).

Case-wise:
  "404 Zupa" correct! it's a valid 404
  "40"       correct! it's invalid, 502ing is sensible
but
  "404 "     wrong!
  "404"      wrong!

Both are normalised by nginx to "HTTP/1.1 404",
which is invalid accd'g to RFC9112 (I think that's the current standard?):
  https://www.rfc-editor.org/rfc/rfc9112.html#name-collected-abnf
which says
  start-line = request-line / status-line
  status-code = 3DIGIT
  status-line = HTTP-version SP status-code SP [ reason-phrase ]

Naturally, nginx is producing a status-line without the second SP,
which is wrong!

Repros on sid and bookworm.

Best,
наб

-- System Information:
Debian Release: trixie/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: x32 (x86_64)
Foreign Architectures: amd64, i386

Kernel: Linux 6.3.0-2-amd64 (SMP w/2 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_WARN, TAINT_OOT_MODULE, 
TAINT_UNSIGNED_MODULE
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages nginx depends on:
ii  iproute2      6.4.0-1
ii  libc6         2.37-6
ii  libcrypt1     1:4.4.35-1
ii  libpcre2-8-0  10.42-2
ii  libssl3       3.0.10-1
ii  nginx-common  1.24.0-1
ii  zlib1g        1:1.2.13.dfsg-1

nginx recommends no packages.

nginx suggests no packages.

-- no debconf information
$ curl -s -vvv http://127.1.2.3/'404%20Zupa' 2>&1 | cat -A
*   Trying 127.1.2.3:80...$
* Connected to 127.1.2.3 (127.1.2.3) port 80 (#0)$
> GET /404%20Zupa HTTP/1.1^M$
> Host: 127.1.2.3^M$
> User-Agent: curl/7.86.0^M$
> Accept: */*^M$
> ^M$
* Mark bundle as not supporting multiuse$
< HTTP/1.1 404 Zupa^M$
< Server: nginx/1.24.0^M$
< Date: Sat, 26 Aug 2023 11:53:59 GMT^M$
< Content-Type: text/plain^M$
< Transfer-Encoding: chunked^M$
< Connection: keep-alive^M$
< ^M$
{ [19 bytes data]$
* Connection #0 to host 127.1.2.3 left intact$
404 Zupa$

$ curl -s -vvv http://127.1.2.3/'404%20' 2>&1 | cat -A
*   Trying 127.1.2.3:80...$
* Connected to 127.1.2.3 (127.1.2.3) port 80 (#0)$
> GET /404%20 HTTP/1.1^M$
> Host: 127.1.2.3^M$
> User-Agent: curl/7.86.0^M$
> Accept: */*^M$
> ^M$
* Mark bundle as not supporting multiuse$
< HTTP/1.1 404^M$
< Server: nginx/1.24.0^M$
< Date: Sat, 26 Aug 2023 11:54:04 GMT^M$
< Content-Type: text/plain^M$
< Transfer-Encoding: chunked^M$
< Connection: keep-alive^M$
< ^M$
{ [15 bytes data]$
* Connection #0 to host 127.1.2.3 left intact$
404 $

$ curl -s -vvv http://127.1.2.3/'404' 2>&1 | cat -A
*   Trying 127.1.2.3:80...$
* Connected to 127.1.2.3 (127.1.2.3) port 80 (#0)$
> GET /404 HTTP/1.1^M$
> Host: 127.1.2.3^M$
> User-Agent: curl/7.86.0^M$
> Accept: */*^M$
> ^M$
* Mark bundle as not supporting multiuse$
< HTTP/1.1 404^M$
< Server: nginx/1.24.0^M$
< Date: Sat, 26 Aug 2023 11:55:51 GMT^M$
< Content-Type: text/plain^M$
< Transfer-Encoding: chunked^M$
< Connection: keep-alive^M$
< ^M$
{ [14 bytes data]$
* Connection #0 to host 127.1.2.3 left intact$
404$

$ curl -s -vvv http://127.1.2.3/'40' 2>&1 | cat -A
*   Trying 127.1.2.3:80...$
* Connected to 127.1.2.3 (127.1.2.3) port 80 (#0)$
> GET /40 HTTP/1.1^M$
> Host: 127.1.2.3^M$
> User-Agent: curl/7.86.0^M$
> Accept: */*^M$
> ^M$
* Mark bundle as not supporting multiuse$
< HTTP/1.1 502 Bad Gateway^M$
< Server: nginx/1.24.0^M$
< Date: Sat, 26 Aug 2023 11:55:53 GMT^M$
< Content-Type: text/html^M$
< Content-Length: 157^M$
< Connection: keep-alive^M$
< ^M$
{ [157 bytes data]$
* Connection #0 to host 127.1.2.3 left intact$
<html>^M$
<head><title>502 Bad Gateway</title></head>^M$
<body>^M$
<center><h1>502 Bad Gateway</h1></center>^M$
<hr><center>nginx/1.24.0</center>^M$
</body>^M$
</html>^M$

Attachment: signature.asc
Description: PGP signature


--- End Message ---
--- Begin Message ---
This issue appears to be resolved, so I'm closing this bug report.

Please reopen it if the problem persists.

Best regards,
Jan

--- End Message ---

Reply via email to