Re: [PATCH 15 of 20] Upstream: header handlers can now return parsing errors

[Sergey Kandaurov]

On Thu, Apr 21, 2022 at 01:18:55AM +0300, Maxim Dounin wrote:
> # HG changeset patch
> # User Maxim Dounin <mdou...@mdounin.ru>
> # Date 1650492336 -10800
> #      Thu Apr 21 01:05:36 2022 +0300
> # Node ID ab424b5e32405aeec54ccdfe38e9408209209e0a
> # Parent  b110c54778e8f6af3ea402c0838a4f289dcd813e
> Upstream: header handlers can now return parsing errors.
> 
> With this change, duplicate Content-Length and Transfer-Encoding headers
> are now rejected.  Further, responses with invalid Content-Length or
> Transfer-Encoding headers are now rejected, as well as responses with both
> Content-Length and Transfer-Encoding.

jftr, various 3rd party modules that call header handlers:
mogilefs, passenger, ajp_module, nginx-clojure, srcache

> 
> diff --git a/src/http/modules/ngx_http_fastcgi_module.c 
> b/src/http/modules/ngx_http_fastcgi_module.c
> --- a/src/http/modules/ngx_http_fastcgi_module.c
> +++ b/src/http/modules/ngx_http_fastcgi_module.c
> @@ -2007,8 +2007,12 @@ ngx_http_fastcgi_process_header(ngx_http
>                  hh = ngx_hash_find(&umcf->headers_in_hash, h->hash,
>                                     h->lowcase_key, h->key.len);
>  
> -                if (hh && hh->handler(r, h, hh->offset) != NGX_OK) {
> -                    return NGX_ERROR;
> +                if (hh) {
> +                    rc = hh->handler(r, h, hh->offset);
> +
> +                    if (rc != NGX_OK) {
> +                        return rc;
> +                    }
>                  }
>  
>                  ngx_log_debug2(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
> diff --git a/src/http/modules/ngx_http_grpc_module.c 
> b/src/http/modules/ngx_http_grpc_module.c
> --- a/src/http/modules/ngx_http_grpc_module.c
> +++ b/src/http/modules/ngx_http_grpc_module.c
> @@ -1891,8 +1891,12 @@ ngx_http_grpc_process_header(ngx_http_re
>                  hh = ngx_hash_find(&umcf->headers_in_hash, h->hash,
>                                     h->lowcase_key, h->key.len);
>  
> -                if (hh && hh->handler(r, h, hh->offset) != NGX_OK) {
> -                    return NGX_ERROR;
> +                if (hh) {
> +                    rc = hh->handler(r, h, hh->offset);
> +
> +                    if (rc != NGX_OK) {
> +                        return rc;
> +                    }
>                  }
>  
>                  continue;
> diff --git a/src/http/modules/ngx_http_proxy_module.c 
> b/src/http/modules/ngx_http_proxy_module.c
> --- a/src/http/modules/ngx_http_proxy_module.c
> +++ b/src/http/modules/ngx_http_proxy_module.c
> @@ -1930,8 +1930,12 @@ ngx_http_proxy_process_header(ngx_http_r
>              hh = ngx_hash_find(&umcf->headers_in_hash, h->hash,
>                                 h->lowcase_key, h->key.len);
>  
> -            if (hh && hh->handler(r, h, hh->offset) != NGX_OK) {
> -                return NGX_ERROR;
> +            if (hh) {
> +                rc = hh->handler(r, h, hh->offset);
> +
> +                if (rc != NGX_OK) {
> +                    return rc;
> +                }
>              }
>  
>              ngx_log_debug2(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
> diff --git a/src/http/modules/ngx_http_scgi_module.c 
> b/src/http/modules/ngx_http_scgi_module.c
> --- a/src/http/modules/ngx_http_scgi_module.c
> +++ b/src/http/modules/ngx_http_scgi_module.c
> @@ -1114,8 +1114,12 @@ ngx_http_scgi_process_header(ngx_http_re
>              hh = ngx_hash_find(&umcf->headers_in_hash, h->hash,
>                                 h->lowcase_key, h->key.len);
>  
> -            if (hh && hh->handler(r, h, hh->offset) != NGX_OK) {
> -                return NGX_ERROR;
> +            if (hh) {
> +                rc = hh->handler(r, h, hh->offset);
> +
> +                if (rc != NGX_OK) {
> +                    return rc;
> +                }
>              }
>  
>              ngx_log_debug2(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
> diff --git a/src/http/modules/ngx_http_uwsgi_module.c 
> b/src/http/modules/ngx_http_uwsgi_module.c
> --- a/src/http/modules/ngx_http_uwsgi_module.c
> +++ b/src/http/modules/ngx_http_uwsgi_module.c
> @@ -1340,8 +1340,12 @@ ngx_http_uwsgi_process_header(ngx_http_r
>              hh = ngx_hash_find(&umcf->headers_in_hash, h->hash,
>                                 h->lowcase_key, h->key.len);
>  
> -            if (hh && hh->handler(r, h, hh->offset) != NGX_OK) {
> -                return NGX_ERROR;
> +            if (hh) {
> +                rc = hh->handler(r, h, hh->offset);
> +
> +                if (rc != NGX_OK) {
> +                    return rc;
> +                }
>              }
>  
>              ngx_log_debug2(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
> diff --git a/src/http/ngx_http_upstream.c b/src/http/ngx_http_upstream.c
> --- a/src/http/ngx_http_upstream.c
> +++ b/src/http/ngx_http_upstream.c
> @@ -4633,10 +4633,34 @@ ngx_http_upstream_process_content_length
>  
>      u = r->upstream;
>  
> +    if (u->headers_in.content_length) {
> +        ngx_log_error(NGX_LOG_ERR, r->connection->log, 0,
> +                      "upstream sent duplicate header line: \"%V: %V\", "
> +                      "previous value: \"%V: %V\"",
> +                      &h->key, &h->value,
> +                      &u->headers_in.content_length->key,
> +                      &u->headers_in.content_length->value);
> +        return NGX_HTTP_UPSTREAM_INVALID_HEADER;
> +    }
> +
> +    if (u->headers_in.transfer_encoding) {
> +        ngx_log_error(NGX_LOG_ERR, r->connection->log, 0,
> +                      "upstream sent \"Content-Length\" and "
> +                      "\"Transfer-Encoding\" headers at the same time");
> +        return NGX_HTTP_UPSTREAM_INVALID_HEADER;
> +    }
> +
>      h->next = NULL;
>      u->headers_in.content_length = h;
>      u->headers_in.content_length_n = ngx_atoof(h->value.data, h->value.len);
>  
> +    if (u->headers_in.content_length_n == NGX_ERROR) {
> +        ngx_log_error(NGX_LOG_ERR, r->connection->log, 0,
> +                      "upstream sent invalid \"Content-Length\" header: "
> +                      "\"%V: %V\"", &h->key, &h->value);
> +        return NGX_HTTP_UPSTREAM_INVALID_HEADER;
> +    }
> +
>      return NGX_OK;
>  }
>  
> @@ -5021,14 +5045,37 @@ ngx_http_upstream_process_transfer_encod
>      ngx_http_upstream_t  *u;
>  
>      u = r->upstream;
> +
> +    if (u->headers_in.transfer_encoding) {
> +        ngx_log_error(NGX_LOG_ERR, r->connection->log, 0,
> +                      "upstream sent duplicate header line: \"%V: %V\", "
> +                      "previous value: \"%V: %V\"",
> +                      &h->key, &h->value,
> +                      &u->headers_in.transfer_encoding->key,
> +                      &u->headers_in.transfer_encoding->value);
> +        return NGX_HTTP_UPSTREAM_INVALID_HEADER;
> +    }
> +
> +    if (u->headers_in.content_length) {
> +        ngx_log_error(NGX_LOG_ERR, r->connection->log, 0,
> +                      "upstream sent \"Content-Length\" and "
> +                      "\"Transfer-Encoding\" headers at the same time");
> +        return NGX_HTTP_UPSTREAM_INVALID_HEADER;
> +    }
> +
>      u->headers_in.transfer_encoding = h;
>      h->next = NULL;
>  
> -    if (ngx_strlcasestrn(h->value.data, h->value.data + h->value.len,
> -                         (u_char *) "chunked", 7 - 1)
> -        != NULL)
> +    if (h->value.len == 7
> +        && ngx_strncasecmp(h->value.data, (u_char *) "chunked", 7) == 0)
>      {
>          u->headers_in.chunked = 1;
> +
> +    } else {
> +        ngx_log_error(NGX_LOG_ERR, r->connection->log, 0,
> +                      "upstream sent unknown \"Transfer-Encoding\": \"%V\"",
> +                      &h->value);
> +        return NGX_HTTP_UPSTREAM_INVALID_HEADER;
>      }
>  
>      return NGX_OK;

This is a subtle(?) change, which makes "chunked" the only valid header value.
OTOH, it looks fine since other values require explicit support as well.
_______________________________________________
nginx-devel mailing list -- nginx-devel@nginx.org
To unsubscribe send an email to nginx-devel-le...@nginx.org