Folks,
If anybody's running nginx with slowcgi(8) on or before OpenBSD 5.5
release, be aware that there's a subtle error (fixed after 5.5) that
silently discards HTTP headers with some referrers.
Long story: I noticed that cookies POSTed by an iPhone client were lost
before being passed to a slowcgi(8) script. Several other HTTP headers
were also lost (Accept-Language, etc.). But they were passed through in
GET calls (and in POST from other systems). Dumping the request via
tcpdump(8), I saw that each of the lost headers occured after a monster
User-Agent string. In this case,
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 7_0_4 like Mac OS X)
AppleWebKit/537.51.1 (KHTML, like Gecko) Version/7.0 Mobile/11B554a
Safari/9537.53
For the GET calls to the CGI via slowcgi(8), this was being invoked
last, so there was no loss.
I remembered seeing something in plus.html about the following:
http://www.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/slowcgi/slowcgi.c?rev=1.30;content-type=text%2Fx-cvsweb-markup
florian@ saves the day! The commit message only mentions QUERY_STRING,
but as it turns out, it's also relevant to other headers. And in this
case, causes silent loss. So if you're using slowcgi(8), you probably
want to upgrade...
Best,
Kristaps
