[Pkg-nginx-maintainers] Bug#1050571: reportbug: nginx normalises "Status: 123 " and "Status: 123" to invalid "HTTP/1.1 123" (must be "HTTP/1.1 123 ")

наб nabijaczleweli at nabijaczleweli.xyz
Sat Aug 26 13:16:34 BST 2023 

Package: nginx
Version: 1.24.0-1
Severity: normal

Dear Maintainer,

Test setup:
-- >8 --
#!/bin/sh
printf '%s\n' "Status: ${DOCUMENT_URI##*/}" 'Content-Type: text/plain' '' "${DOCUMENT_URI##*/}"
-- >8 --
in /tmp/cgi and
-- >8 --
server {
        listen 127.1.2.3:80;
        location / {
                fastcgi_pass unix:/run/fcgiwrap.socket;
                include /etc/nginx/fastcgi_params;
                fastcgi_param SCRIPT_FILENAME /tmp/cgi;
        }
}
-- >8 --
in /etc/nginx/sites-enabled/demo.

Naturally, this program returns "Status: {request path without /}",
with body "{request path without /}" and whatever padding to make
it palatable to nginx.

Now, the abridged bug (full log attached, but it's not exciting):
-- >8 --
$ curl -s -vvv http://127.1.2.3/'404%20Zupa' 2>&1 | cat -A
> GET /404%20Zupa HTTP/1.1^M$
< HTTP/1.1 404 Zupa^M$
< Server: nginx/1.24.0^M$
404 Zupa$

$ curl -s -vvv http://127.1.2.3/'404%20' 2>&1 | cat -A
> GET /404%20 HTTP/1.1^M$
< HTTP/1.1 404^M$
< Server: nginx/1.24.0^M$
404 $

$ curl -s -vvv http://127.1.2.3/'404' 2>&1 | cat -A
> GET /404 HTTP/1.1^M$
< HTTP/1.1 404^M$
< Server: nginx/1.24.0^M$
404$

$ curl -s -vvv http://127.1.2.3/'40' 2>&1 | cat -A
> GET /40 HTTP/1.1^M$
< HTTP/1.1 502 Bad Gateway^M$
< Server: nginx/1.24.0^M$
<html>^M$
<head><title>502 Bad Gateway</title></head>^M$
<body>^M$
<center><h1>502 Bad Gateway</h1></center>^M$
<hr><center>nginx/1.24.0</center>^M$
</body>^M$
</html>^M$
-- >8 --
(yes, I straced fcgiwrap, it doesn't mangle the Status lines).

Case-wise:
  "404 Zupa" correct! it's a valid 404
  "40"       correct! it's invalid, 502ing is sensible
but
  "404 "     wrong!
  "404"      wrong!

Both are normalised by nginx to "HTTP/1.1 404",
which is invalid accd'g to RFC9112 (I think that's the current standard?):
  https://www.rfc-editor.org/rfc/rfc9112.html#name-collected-abnf
which says
  start-line = request-line / status-line
  status-code = 3DIGIT
  status-line = HTTP-version SP status-code SP [ reason-phrase ]

Naturally, nginx is producing a status-line without the second SP,
which is wrong!

Repros on sid and bookworm.

Best,
наб

-- System Information:
Debian Release: trixie/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: x32 (x86_64)
Foreign Architectures: amd64, i386

Kernel: Linux 6.3.0-2-amd64 (SMP w/2 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_WARN, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages nginx depends on:
ii  iproute2      6.4.0-1
ii  libc6         2.37-6
ii  libcrypt1     1:4.4.35-1
ii  libpcre2-8-0  10.42-2
ii  libssl3       3.0.10-1
ii  nginx-common  1.24.0-1
ii  zlib1g        1:1.2.13.dfsg-1

nginx recommends no packages.

nginx suggests no packages.

-- no debconf information
-------------- next part --------------
$ curl -s -vvv http://127.1.2.3/'404%20Zupa' 2>&1 | cat -A
*   Trying 127.1.2.3:80...$
* Connected to 127.1.2.3 (127.1.2.3) port 80 (#0)$
> GET /404%20Zupa HTTP/1.1^M$
> Host: 127.1.2.3^M$
> User-Agent: curl/7.86.0^M$
> Accept: */*^M$
> ^M$
* Mark bundle as not supporting multiuse$
< HTTP/1.1 404 Zupa^M$
< Server: nginx/1.24.0^M$
< Date: Sat, 26 Aug 2023 11:53:59 GMT^M$
< Content-Type: text/plain^M$
< Transfer-Encoding: chunked^M$
< Connection: keep-alive^M$
< ^M$
{ [19 bytes data]$
* Connection #0 to host 127.1.2.3 left intact$
404 Zupa$

$ curl -s -vvv http://127.1.2.3/'404%20' 2>&1 | cat -A
*   Trying 127.1.2.3:80...$
* Connected to 127.1.2.3 (127.1.2.3) port 80 (#0)$
> GET /404%20 HTTP/1.1^M$
> Host: 127.1.2.3^M$
> User-Agent: curl/7.86.0^M$
> Accept: */*^M$
> ^M$
* Mark bundle as not supporting multiuse$
< HTTP/1.1 404^M$
< Server: nginx/1.24.0^M$
< Date: Sat, 26 Aug 2023 11:54:04 GMT^M$
< Content-Type: text/plain^M$
< Transfer-Encoding: chunked^M$
< Connection: keep-alive^M$
< ^M$
{ [15 bytes data]$
* Connection #0 to host 127.1.2.3 left intact$
404 $

$ curl -s -vvv http://127.1.2.3/'404' 2>&1 | cat -A
*   Trying 127.1.2.3:80...$
* Connected to 127.1.2.3 (127.1.2.3) port 80 (#0)$
> GET /404 HTTP/1.1^M$
> Host: 127.1.2.3^M$
> User-Agent: curl/7.86.0^M$
> Accept: */*^M$
> ^M$
* Mark bundle as not supporting multiuse$
< HTTP/1.1 404^M$
< Server: nginx/1.24.0^M$
< Date: Sat, 26 Aug 2023 11:55:51 GMT^M$
< Content-Type: text/plain^M$
< Transfer-Encoding: chunked^M$
< Connection: keep-alive^M$
< ^M$
{ [14 bytes data]$
* Connection #0 to host 127.1.2.3 left intact$
404$

$ curl -s -vvv http://127.1.2.3/'40' 2>&1 | cat -A
*   Trying 127.1.2.3:80...$
* Connected to 127.1.2.3 (127.1.2.3) port 80 (#0)$
> GET /40 HTTP/1.1^M$
> Host: 127.1.2.3^M$
> User-Agent: curl/7.86.0^M$
> Accept: */*^M$
> ^M$
* Mark bundle as not supporting multiuse$
< HTTP/1.1 502 Bad Gateway^M$
< Server: nginx/1.24.0^M$
< Date: Sat, 26 Aug 2023 11:55:53 GMT^M$
< Content-Type: text/html^M$
< Content-Length: 157^M$
< Connection: keep-alive^M$
< ^M$
{ [157 bytes data]$
* Connection #0 to host 127.1.2.3 left intact$
<html>^M$
<head><title>502 Bad Gateway</title></head>^M$
<body>^M$
<center><h1>502 Bad Gateway</h1></center>^M$
<hr><center>nginx/1.24.0</center>^M$
</body>^M$
</html>^M$
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-nginx-maintainers/attachments/20230826/066524e0/attachment.sig>

More information about the Pkg-nginx-maintainers mailing list