Mercurial > hg > nginx
comparison src/http/v3/ngx_http_v3_request.c @ 9259:81082b5521dd
Request body: body is now cleared on errors.
Previously, after errors the request body was left in a potentially
inconsistent state, with r->headers_in.content_length_n which might be
larger than buffers actually stored in r->request_body->bufs (or not
set at all, in case of HTTP/2 and HTTP/3). This can cause issues if
the request body is subsequently used during error_page handling, such
as when proxying.
Fix is to clear r->request_body->bufs if this happens, and set
r->headers_in.content_length_n to 0, much like it happens when
ngx_http_discard_request_body() is called when returning 413 from
ngx_http_core_find_config_phase() for requests with Content-Length.
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Sat, 27 Apr 2024 18:21:38 +0300 |
parents | 208a4adb82ef |
children | 388a801e9bb9 |
comparison
equal
deleted
inserted
replaced
9258:c9550e77186c | 9259:81082b5521dd |
---|---|
1289 } | 1289 } |
1290 | 1290 |
1291 rc = ngx_http_v3_do_read_client_request_body(r); | 1291 rc = ngx_http_v3_do_read_client_request_body(r); |
1292 | 1292 |
1293 if (rc >= NGX_HTTP_SPECIAL_RESPONSE) { | 1293 if (rc >= NGX_HTTP_SPECIAL_RESPONSE) { |
1294 | |
1295 r->headers_in.content_length_n = 0; | |
1296 r->request_body->bufs = NULL; | |
1297 | |
1294 ngx_http_finalize_request(r, rc); | 1298 ngx_http_finalize_request(r, rc); |
1295 } | 1299 } |
1296 } | 1300 } |
1297 | 1301 |
1298 | 1302 |