nic-6443 opened a new pull request, #13369:
URL: https://github.com/apache/apisix/pull/13369
Several plugins and routers declared `local tbl = {}` at module scope and
reused the same table across coroutines via `core.table.clear()`. When a
function yields (e.g. `ctx.var[...]` lookup or shdict op), another concurrent
request on the same worker can re-enter and mutate the shared table, causing
cross-request state pollution.
**Affected high-risk sites** (yield in function body):
- `prometheus/exporter.lua`: `inner_tab_arr` in `gen_arr()`,
`extra_labels_tbl` in `extra_labels()` — replaced with per-call local table
- `proxy-cache/util.lua`: `tmp` in `generate_complex_value()` — replaced
with `core.tablepool.fetch/release`
- `redirect.lua`: `tmp` in `concat_new_uri()` — replaced with
`core.tablepool.fetch/release`
**Affected low-risk sites** (preventive, no current yield):
- `api_router.lua`: `match_opts` in `match()` — replaced with
`core.tablepool.fetch/release`
- `control/router.lua`: `match_opts` in `match()` — replaced with
`core.tablepool.fetch/release`
- `stream/router/ip_port.lua`: `match_opts` in `match()` — replaced with
`core.tablepool.fetch/release`
This follows the same fix pattern as the historical radixtree_host_uri
route-mismatch fix (PR #10198).
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
