Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Nginx passenger_env_var falsifying values #2419

Closed
klausmeyer opened this issue Apr 19, 2022 · 3 comments
Closed

Nginx passenger_env_var falsifying values #2419

klausmeyer opened this issue Apr 19, 2022 · 3 comments

Comments

@klausmeyer
Copy link

Issue report

Question 1: What is the problem?

When using the nginx module of passenger the option passenger_env_var inside server configs is falsifying values for the headers sent to the application.

For example this:

passenger_env_var HTTP_SECURITY_AAAAA 'public';
passenger_env_var HTTP_SECURITY_BBBBB 'public';
passenger_env_var HTTP_SECURITY_LEVEL 'public';

generates the following headers in the application:

HTTP_SECURITY_AAAAA: public
HTTP_SECURITY_BBBBB: public
- HTTP_SECURITY_LEVEL: public
+ HTTP_SECURITY_LEVEL: publci

It seems to be only the last one declared having this issue.

Also I was only able to reproduce this issue on my new ARM based Macbook.
On my older Intel based machine it was working fine.

Question 2: Passenger version and integration mode:

I'm using latest versions of both nginx + passenger currently available via homebrew:

nginx/1.21.6
Phusion Passenger(R) 6.0.13

Question 3: OS or Linux distro, platform (including version):

I've been able to reproduce on MacOS 12.3.1 (ARM) but not on 10.15.7 (Intel)

Question 4: Passenger installation method:

OS X Homebrew

Question 5: Your app's programming language (including any version managers) and framework (including versions):

Ruby 3.1.1 (RVM) / Rack 2.2.3

Question 6: Are you using a PaaS and/or containerization? If so which one?

Only tested on local machines.

Question 7: Anything else about your setup that we should know?

I've created a small repo with minimal setup that can be used to reproduce:

https://github.com/klausmeyer/nginx-passenger-issue
@mkon
Copy link

mkon commented Apr 21, 2022

I am able to reproduce this with the example app. I can also change the variables to

  passenger_env_var MY_AAAAA 'foobar';
  passenger_env_var MY_BBBBB 'foobar';
  passenger_env_var MY_LEVEL 'foobar';

To clarify these are environment variables and not http headers (but rack will merge them in the environment).

And the last one will become foobra instead of foobar in the rack env.

You can also change the example app to simply raise an exception in the config.ru so passenger does not even start. In the subprocess diagnostics you can also clearly see how the environment variable value swapped some characters around.

I was strangely not able to reproduce this with rails, maybe due to to there being many more environment variables so the error is harder to spot.

@bantonj
Copy link

bantonj commented Dec 12, 2022

Sounds very similar to an issue I ran into with Apache environment variables. I ended up needing to stop using the feature. Mine was also using arm (locally and in AWS).

@jtomson jtomson mentioned this issue Dec 12, 2022
Closed
CamJN added a commit that referenced this issue Aug 22, 2023
@CamJN
Fix aarch64 base64 decoding on little endian machines
455a793 
Fixes #2451 and #2419
@CamJN CamJN closed this as completed Aug 22, 2023
@klausmeyer
Copy link
Author

Thank you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@klausmeyer @mkon @bantonj @CamJN