details: https://hg.nginx.org/nginx/rev/9f1f9d6e056a branches: changeset: 7561:9f1f9d6e056a user: Sergey Kandaurov <pluk...@nginx.com> date: Mon Aug 19 15:16:06 2019 +0300 description: HTTP/2: discard remaining request body after redirect.
Previously, if unbuffered request body reading wasn't finished before the request was redirected to a different location using error_page or X-Accel-Redirect, and the request body is read again, this could lead to disastrous effects, such as a duplicate post_handler call or "http request count is zero" alert followed by a segmentation fault. This happened in the following configuration (ticket #1819): location / { proxy_request_buffering off; proxy_pass http://bad; proxy_intercept_errors on; error_page 502 = /error; } location /error { proxy_pass http://backend; } diffstat: src/http/v2/ngx_http_v2.c | 11 +++++++++-- 1 files changed, 9 insertions(+), 2 deletions(-) diffs (28 lines): diff -r 2432a687e789 -r 9f1f9d6e056a src/http/v2/ngx_http_v2.c --- a/src/http/v2/ngx_http_v2.c Fri Aug 16 18:16:21 2019 +0300 +++ b/src/http/v2/ngx_http_v2.c Mon Aug 19 15:16:06 2019 +0300 @@ -947,6 +947,15 @@ ngx_http_v2_state_read_data(ngx_http_v2_ return ngx_http_v2_state_skip_padded(h2c, pos, end); } + r = stream->request; + + if (r->reading_body && !r->request_body_no_buffering) { + ngx_log_debug0(NGX_LOG_DEBUG_HTTP, h2c->connection->log, 0, + "skipping http2 DATA frame"); + + return ngx_http_v2_state_skip_padded(h2c, pos, end); + } + size = end - pos; if (size >= h2c->state.length) { @@ -954,8 +963,6 @@ ngx_http_v2_state_read_data(ngx_http_v2_ stream->in_closed = h2c->state.flags & NGX_HTTP_V2_END_STREAM_FLAG; } - r = stream->request; - if (r->request_body) { rc = ngx_http_v2_process_request_body(r, pos, size, stream->in_closed); _______________________________________________ nginx-devel mailing list nginx-devel@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel