Le sam. 26 août 2023 à 14:21, наб <nabijaczlew...@nabijaczleweli.xyz> a écrit :
> Package: nginx > Version: 1.24.0-1 > Severity: normal > > Dear Maintainer, > > Test setup: > -- >8 -- > #!/bin/sh > printf '%s\n' "Status: ${DOCUMENT_URI##*/}" 'Content-Type: text/plain' '' > "${DOCUMENT_URI##*/}" > -- >8 -- > in /tmp/cgi and > -- >8 -- > server { > listen 127.1.2.3:80; > location / { > fastcgi_pass unix:/run/fcgiwrap.socket; > include /etc/nginx/fastcgi_params; > fastcgi_param SCRIPT_FILENAME /tmp/cgi; > } > } > -- >8 -- > in /etc/nginx/sites-enabled/demo. > > Naturally, this program returns "Status: {request path without /}", > with body "{request path without /}" and whatever padding to make > it palatable to nginx. > > Now, the abridged bug (full log attached, but it's not exciting): > -- >8 -- > $ curl -s -vvv http://127.1.2.3/'404%20Zupa' 2>&1 | cat -A > > GET /404%20Zupa HTTP/1.1^M$ > < HTTP/1.1 404 Zupa^M$ > < Server: nginx/1.24.0^M$ > 404 Zupa$ > > $ curl -s -vvv http://127.1.2.3/'404%20' 2>&1 | cat -A > > GET /404%20 HTTP/1.1^M$ > < HTTP/1.1 404^M$ > < Server: nginx/1.24.0^M$ > 404 $ > > $ curl -s -vvv http://127.1.2.3/'404' 2>&1 | cat -A > > GET /404 HTTP/1.1^M$ > < HTTP/1.1 404^M$ > < Server: nginx/1.24.0^M$ > 404$ > > $ curl -s -vvv http://127.1.2.3/'40' 2>&1 | cat -A > > GET /40 HTTP/1.1^M$ > < HTTP/1.1 502 Bad Gateway^M$ > < Server: nginx/1.24.0^M$ > <html>^M$ > <head><title>502 Bad Gateway</title></head>^M$ > <body>^M$ > <center><h1>502 Bad Gateway</h1></center>^M$ > <hr><center>nginx/1.24.0</center>^M$ > </body>^M$ > </html>^M$ > -- >8 -- > (yes, I straced fcgiwrap, it doesn't mangle the Status lines). > > Case-wise: > "404 Zupa" correct! it's a valid 404 > "40" correct! it's invalid, 502ing is sensible > but > "404 " wrong! > "404" wrong! > > Both are normalised by nginx to "HTTP/1.1 404", > which is invalid accd'g to RFC9112 (I think that's the current standard?): > https://www.rfc-editor.org/rfc/rfc9112.html#name-collected-abnf > which says > start-line = request-line / status-line > status-code = 3DIGIT > status-line = HTTP-version SP status-code SP [ reason-phrase ] > > Naturally, nginx is producing a status-line without the second SP, > which is wrong! > > Repros on sid and bookworm. > Forwarded to nginx mailing list, should appear here: https://mailman.nginx.org/pipermail/nginx/2023-August/thread.html Jérémy