HTTP/2: enforce writing the sync request body buffer to file.
The sync flag of HTTP/2 request body buffer is used when the size of request
body is unknown or bigger than configured "client_body_buffer_size". In this
case the buffer points to body data inside the global receive buffer that is
used for reading all HTTP/2 connections in the worker process. Thus, when the
sync flag is set, the buffer must be flushed to a temporary file, otherwise
the request body data can be overwritten.
Previously, the sync buffer wasn't flushed to a temporary file if the whole
body was received in one DATA frame with the END_STREAM flag and wasn't
copied into the HTTP/2 body preread buffer. As a result, the request body
might be corrupted (ticket #1384).
Now, setting r->request_body_in_file_only enforces writing the sync buffer
to a temporary file in all cases.
Valentin Bartenev
4 years ago
| 3556 | 3556 | rb->buf = ngx_create_temp_buf(r->pool, (size_t) len); |
| 3557 | 3557 | |
| 3558 | 3558 | } else { |
| 3559 | if (stream->preread) { | |
| 3560 | /* enforce writing preread buffer to file */ | |
| 3561 | r->request_body_in_file_only = 1; | |
| 3562 | } | |
| 3563 | ||
| 3564 | 3559 | rb->buf = ngx_calloc_buf(r->pool); |
| 3565 | 3560 | |
| 3566 | 3561 | if (rb->buf != NULL) { |
| 3658 | 3653 | if (buf->sync) { |
| 3659 | 3654 | buf->pos = buf->start = pos; |
| 3660 | 3655 | buf->last = buf->end = pos + size; |
| 3656 | ||
| 3657 | r->request_body_in_file_only = 1; | |
| 3661 | 3658 | |
| 3662 | 3659 | } else { |
| 3663 | 3660 | if (size > (size_t) (buf->end - buf->last)) { |