Package: nginx Version: 1.24.0-1 Severity: normal Dear Maintainer,
Test setup:
-- >8 --
#!/bin/sh
printf '%s\n' "Status: ${DOCUMENT_URI##*/}" 'Content-Type: text/plain' ''
"${DOCUMENT_URI##*/}"
-- >8 --
in /tmp/cgi and
-- >8 --
server {
listen 127.1.2.3:80;
location / {
fastcgi_pass unix:/run/fcgiwrap.socket;
include /etc/nginx/fastcgi_params;
fastcgi_param SCRIPT_FILENAME /tmp/cgi;
}
}
-- >8 --
in /etc/nginx/sites-enabled/demo.
Naturally, this program returns "Status: {request path without /}",
with body "{request path without /}" and whatever padding to make
it palatable to nginx.
Now, the abridged bug (full log attached, but it's not exciting):
-- >8 --
$ curl -s -vvv http://127.1.2.3/'404%20Zupa' 2>&1 | cat -A
> GET /404%20Zupa HTTP/1.1^M$
< HTTP/1.1 404 Zupa^M$
< Server: nginx/1.24.0^M$
404 Zupa$
$ curl -s -vvv http://127.1.2.3/'404%20' 2>&1 | cat -A
> GET /404%20 HTTP/1.1^M$
< HTTP/1.1 404^M$
< Server: nginx/1.24.0^M$
404 $
$ curl -s -vvv http://127.1.2.3/'404' 2>&1 | cat -A
> GET /404 HTTP/1.1^M$
< HTTP/1.1 404^M$
< Server: nginx/1.24.0^M$
404$
$ curl -s -vvv http://127.1.2.3/'40' 2>&1 | cat -A
> GET /40 HTTP/1.1^M$
< HTTP/1.1 502 Bad Gateway^M$
< Server: nginx/1.24.0^M$
<html>^M$
<head><title>502 Bad Gateway</title></head>^M$
<body>^M$
<center><h1>502 Bad Gateway</h1></center>^M$
<hr><center>nginx/1.24.0</center>^M$
</body>^M$
</html>^M$
-- >8 --
(yes, I straced fcgiwrap, it doesn't mangle the Status lines).
Case-wise:
"404 Zupa" correct! it's a valid 404
"40" correct! it's invalid, 502ing is sensible
but
"404 " wrong!
"404" wrong!
Both are normalised by nginx to "HTTP/1.1 404",
which is invalid accd'g to RFC9112 (I think that's the current standard?):
https://www.rfc-editor.org/rfc/rfc9112.html#name-collected-abnf
which says
start-line = request-line / status-line
status-code = 3DIGIT
status-line = HTTP-version SP status-code SP [ reason-phrase ]
Naturally, nginx is producing a status-line without the second SP,
which is wrong!
Repros on sid and bookworm.
Best,
наб
-- System Information:
Debian Release: trixie/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: x32 (x86_64)
Foreign Architectures: amd64, i386
Kernel: Linux 6.3.0-2-amd64 (SMP w/2 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_WARN, TAINT_OOT_MODULE,
TAINT_UNSIGNED_MODULE
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages nginx depends on:
ii iproute2 6.4.0-1
ii libc6 2.37-6
ii libcrypt1 1:4.4.35-1
ii libpcre2-8-0 10.42-2
ii libssl3 3.0.10-1
ii nginx-common 1.24.0-1
ii zlib1g 1:1.2.13.dfsg-1
nginx recommends no packages.
nginx suggests no packages.
-- no debconf information
$ curl -s -vvv http://127.1.2.3/'404%20Zupa' 2>&1 | cat -A * Trying 127.1.2.3:80...$ * Connected to 127.1.2.3 (127.1.2.3) port 80 (#0)$ > GET /404%20Zupa HTTP/1.1^M$ > Host: 127.1.2.3^M$ > User-Agent: curl/7.86.0^M$ > Accept: */*^M$ > ^M$ * Mark bundle as not supporting multiuse$ < HTTP/1.1 404 Zupa^M$ < Server: nginx/1.24.0^M$ < Date: Sat, 26 Aug 2023 11:53:59 GMT^M$ < Content-Type: text/plain^M$ < Transfer-Encoding: chunked^M$ < Connection: keep-alive^M$ < ^M$ { [19 bytes data]$ * Connection #0 to host 127.1.2.3 left intact$ 404 Zupa$ $ curl -s -vvv http://127.1.2.3/'404%20' 2>&1 | cat -A * Trying 127.1.2.3:80...$ * Connected to 127.1.2.3 (127.1.2.3) port 80 (#0)$ > GET /404%20 HTTP/1.1^M$ > Host: 127.1.2.3^M$ > User-Agent: curl/7.86.0^M$ > Accept: */*^M$ > ^M$ * Mark bundle as not supporting multiuse$ < HTTP/1.1 404^M$ < Server: nginx/1.24.0^M$ < Date: Sat, 26 Aug 2023 11:54:04 GMT^M$ < Content-Type: text/plain^M$ < Transfer-Encoding: chunked^M$ < Connection: keep-alive^M$ < ^M$ { [15 bytes data]$ * Connection #0 to host 127.1.2.3 left intact$ 404 $ $ curl -s -vvv http://127.1.2.3/'404' 2>&1 | cat -A * Trying 127.1.2.3:80...$ * Connected to 127.1.2.3 (127.1.2.3) port 80 (#0)$ > GET /404 HTTP/1.1^M$ > Host: 127.1.2.3^M$ > User-Agent: curl/7.86.0^M$ > Accept: */*^M$ > ^M$ * Mark bundle as not supporting multiuse$ < HTTP/1.1 404^M$ < Server: nginx/1.24.0^M$ < Date: Sat, 26 Aug 2023 11:55:51 GMT^M$ < Content-Type: text/plain^M$ < Transfer-Encoding: chunked^M$ < Connection: keep-alive^M$ < ^M$ { [14 bytes data]$ * Connection #0 to host 127.1.2.3 left intact$ 404$ $ curl -s -vvv http://127.1.2.3/'40' 2>&1 | cat -A * Trying 127.1.2.3:80...$ * Connected to 127.1.2.3 (127.1.2.3) port 80 (#0)$ > GET /40 HTTP/1.1^M$ > Host: 127.1.2.3^M$ > User-Agent: curl/7.86.0^M$ > Accept: */*^M$ > ^M$ * Mark bundle as not supporting multiuse$ < HTTP/1.1 502 Bad Gateway^M$ < Server: nginx/1.24.0^M$ < Date: Sat, 26 Aug 2023 11:55:53 GMT^M$ < Content-Type: text/html^M$ < Content-Length: 157^M$ < Connection: keep-alive^M$ < ^M$ { [157 bytes data]$ * Connection #0 to host 127.1.2.3 left intact$ <html>^M$ <head><title>502 Bad Gateway</title></head>^M$ <body>^M$ <center><h1>502 Bad Gateway</h1></center>^M$ <hr><center>nginx/1.24.0</center>^M$ </body>^M$ </html>^M$
signature.asc
Description: PGP signature

