Mercurial > hg > nginx
comparison src/http/v3/ngx_http_v3_request.c @ 9259:81082b5521dd
Request body: body is now cleared on errors.
Previously, after errors the request body was left in a potentially
inconsistent state, with r->headers_in.content_length_n which might be
larger than buffers actually stored in r->request_body->bufs (or not
set at all, in case of HTTP/2 and HTTP/3). This can cause issues if
the request body is subsequently used during error_page handling, such
as when proxying.
Fix is to clear r->request_body->bufs if this happens, and set
r->headers_in.content_length_n to 0, much like it happens when
ngx_http_discard_request_body() is called when returning 413 from
ngx_http_core_find_config_phase() for requests with Content-Length.
| author | Maxim Dounin <mdounin@mdounin.ru> |
|---|---|
| date | Sat, 27 Apr 2024 18:21:38 +0300 |
| parents | 208a4adb82ef |
| children | 388a801e9bb9 |
comparison
equal
deleted
inserted
replaced
| 9258:c9550e77186c | 9259:81082b5521dd |
|---|---|
| 1289 } | 1289 } |
| 1290 | 1290 |
| 1291 rc = ngx_http_v3_do_read_client_request_body(r); | 1291 rc = ngx_http_v3_do_read_client_request_body(r); |
| 1292 | 1292 |
| 1293 if (rc >= NGX_HTTP_SPECIAL_RESPONSE) { | 1293 if (rc >= NGX_HTTP_SPECIAL_RESPONSE) { |
| 1294 | |
| 1295 r->headers_in.content_length_n = 0; | |
| 1296 r->request_body->bufs = NULL; | |
| 1297 | |
| 1294 ngx_http_finalize_request(r, rc); | 1298 ngx_http_finalize_request(r, rc); |
| 1295 } | 1299 } |
| 1296 } | 1300 } |
| 1297 | 1301 |
| 1298 | 1302 |