From 6305d23e8da0dfda8972f1cdcf19236ff081fd0a Mon Sep 17 00:00:00 2001 From: Morten Minde Neergaard <169057+xim@users.noreply.github.com> Date: Fri, 25 Apr 2025 16:25:06 +0200 Subject: [PATCH] HTTP: add client_body_temp_access directive. Allows setting access permissions on temporary files created when writing a client request body to client_body_temp_path. Previously, these files were opened with 0600. If nginx hands a buffered upload off to a backend on the same host via client_body_in_file_only and the $request_body_file variable, a backend running as a different user cannot read the file. Closes: https://github.com/nginx/nginx/issues/656 --- contrib/vim/syntax/nginx.vim | 1 + src/http/ngx_http_core_module.c | 10 ++++++++++ src/http/ngx_http_core_module.h | 1 + src/http/ngx_http_request_body.c | 1 + 4 files changed, 13 insertions(+) diff --git a/contrib/vim/syntax/nginx.vim b/contrib/vim/syntax/nginx.vim index ea7c58464..7fcdffed2 100644 --- a/contrib/vim/syntax/nginx.vim +++ b/contrib/vim/syntax/nginx.vim @@ -153,6 +153,7 @@ syn keyword ngxDirective contained chunked_transfer_encoding syn keyword ngxDirective contained client_body_buffer_size syn keyword ngxDirective contained client_body_in_file_only syn keyword ngxDirective contained client_body_in_single_buffer +syn keyword ngxDirective contained client_body_temp_access syn keyword ngxDirective contained client_body_temp_path syn keyword ngxDirective contained client_body_timeout syn keyword ngxDirective contained client_header_buffer_size diff --git a/src/http/ngx_http_core_module.c b/src/http/ngx_http_core_module.c index 4e1c67282..a48048ea7 100644 --- a/src/http/ngx_http_core_module.c +++ b/src/http/ngx_http_core_module.c @@ -380,6 +380,13 @@ static ngx_command_t ngx_http_core_commands[] = { offsetof(ngx_http_core_loc_conf_t, client_body_temp_path), NULL }, + { ngx_string("client_body_temp_access"), + NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE123, + ngx_conf_set_access_slot, + NGX_HTTP_LOC_CONF_OFFSET, + offsetof(ngx_http_core_loc_conf_t, client_body_temp_access), + NULL }, + { ngx_string("client_body_in_file_only"), NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1, ngx_conf_set_enum_slot, @@ -3663,6 +3670,7 @@ ngx_http_core_create_loc_conf(ngx_conf_t *cf) clcf->client_max_body_size = NGX_CONF_UNSET; clcf->client_body_buffer_size = NGX_CONF_UNSET_SIZE; clcf->client_body_timeout = NGX_CONF_UNSET_MSEC; + clcf->client_body_temp_access = NGX_CONF_UNSET_UINT; clcf->satisfy = NGX_CONF_UNSET_UINT; clcf->auth_delay = NGX_CONF_UNSET_MSEC; clcf->if_modified_since = NGX_CONF_UNSET_UINT; @@ -3895,6 +3903,8 @@ ngx_http_core_merge_loc_conf(ngx_conf_t *cf, void *parent, void *child) NGX_HTTP_REQUEST_BODY_FILE_OFF); ngx_conf_merge_value(conf->client_body_in_single_buffer, prev->client_body_in_single_buffer, 0); + ngx_conf_merge_uint_value(conf->client_body_temp_access, + prev->client_body_temp_access, 0); ngx_conf_merge_value(conf->internal, prev->internal, 0); ngx_conf_merge_value(conf->sendfile, prev->sendfile, 0); ngx_conf_merge_size_value(conf->sendfile_max_chunk, diff --git a/src/http/ngx_http_core_module.h b/src/http/ngx_http_core_module.h index a13d7ade5..3138a3ca3 100644 --- a/src/http/ngx_http_core_module.h +++ b/src/http/ngx_http_core_module.h @@ -439,6 +439,7 @@ struct ngx_http_core_loc_conf_s { ngx_array_t *error_pages; /* error_page */ ngx_path_t *client_body_temp_path; /* client_body_temp_path */ + ngx_uint_t client_body_temp_access; /* client_body_temp_access */ ngx_open_file_cache_t *open_file_cache; time_t open_file_cache_valid; diff --git a/src/http/ngx_http_request_body.c b/src/http/ngx_http_request_body.c index 1d8e4081a..ad5580e85 100644 --- a/src/http/ngx_http_request_body.c +++ b/src/http/ngx_http_request_body.c @@ -569,6 +569,7 @@ ngx_http_write_request_body(ngx_http_request_t *r) tf->file.fd = NGX_INVALID_FILE; tf->file.log = r->connection->log; tf->path = clcf->client_body_temp_path; + tf->access = clcf->client_body_temp_access; tf->pool = r->pool; tf->warn = "a client request body is buffered to a temporary file"; tf->log_level = r->request_body_file_log_level;