|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
[2012-03-01 12:04 UTC] bruzh2 at gmail dot com
Description: ------------ The function fcgi_get_params() checks fastcgi name-value pairs on their effective sizes using fcgi_param_get_eff_len(). This works good only for zero-ended string values, but not the binary data. Suppose we want to transmit binary data with zeroes in the middle. In that case fcgi_param_get_eff_len() returns 0. That causes FPM to drop FastCGI connection. Test script: --------------- How to reproduce (passing binary client address in BREMOTE_ADDR): nginx server configuration: http://www.box.com/s/dduo08uni67ilgjnn6rc TCP session dump (tcpdump -ni lo port 4006 -X -s 0): http://www.box.com/s/ukkyco8raeijvb3hr8ep Expected result: ---------------- Expected: full response from PHP. Actual result: -------------- Actually got: TCP reset immediately after receiving data packet with FastCGI request. You may decode bytes sequence in the data packet. Bytes from 0x0094 to 0x00A5 are: 0x0094 = x0c = 12 (the length of "BREMOTE_ADDR" string) 0x0095 = x04 = 04 (the length of binary data) 0x0096-0x00A1 = "BREMOTE_ADDR" (the name) 0x00A2-0x00A5 = 0x7f 0x00 0x00 0x01 (the binary representation of IPv4 address 127.0.0.1) I found something like FastCGI specs on http://www.fastcgi.com/drupal/node/6?q=node/22#S5.2 "3.4 Name-Value Pairs ... This name-value pair format allows the sender to transmit binary values without additional encoding, and enables the receiver to allocate the correct amount of storage immediately even for large values." Thus, I think assuming that all FastCGI data is a zero-ended strings is wrong. I wrote a patch that removes check for non-zero byte after "end of string". Patchesphp-fastcgi_binary_bug-fastcgi.c.patch (last revision 2012-03-01 12:05 UTC by bruzh2 at gmail dot com)Pull RequestsHistoryAllCommentsChangesGit/SVN commits
|
|||||||||||||||||||||||||||
Copyright © 2001-2024 The PHP GroupAll rights reserved. |
Last updated: Thu Nov 21 12:01:29 2024 UTC |
linux command line to send HTTP request to nginx: echo -e "GET /test.php HTTP/1.1\nHost: tmp\nConnection: close\n" | nc localhost 80 nginx response: HTTP/1.1 502 Bad Gateway Server: nginx/0.7.68 Date: Thu, 01 Mar 2012 10:39:21 GMT Content-Type: text/html; charset=utf-8 Content-Length: 173 Connection: close Set-Cookie: ngs_uid=fwAAAU9PUdk/Oi4mAwMJAg==; expires=Sun, 27-Feb-22 10:39:21 GMT; domain=ngs.ru; path=/ P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" <html> <head><title>502 Bad Gateway</title></head> <body bgcolor="white"> <center><h1>502 Bad Gateway</h1></center> <hr><center>nginx/0.7.68</center> </body> </html> Take note this is LOCAL connection to nginx. Further nginx transmits 4 bytes ('127.0.0.1' = 0x7f 0x00 0x00 0x01) in the 'BREMOTE_ADDR' FastCGI value. And PHP-FPM drops FastCGI connection after receiving non-zero ended binary sequence in the FastCGI value. Any other connection from HTTP client without zeroes in the IPv4 address would work.