mirror of
https://github.com/NixOS/nixpkgs.git
synced 2024-10-20 11:11:43 -04:00
e1d63ada02
While our ETag patch works pretty fine if it comes to serving data off
store paths, it unfortunately broke something that might be a bit more
common, namely when using regexes to extract path components of
location directives for example.
Recently, @devhell has reported a bug with a nginx location directive
like this:
location ~^/\~([a-z0-9_]+)(/.*)?$" {
alias /home/$1/public_html$2;
}
While this might look harmless at first glance, it does however cause
issues with our ETag patch. The alias directive gets broken up by nginx
like this:
*2 http script copy: "/home/"
*2 http script capture: "foo"
*2 http script copy: "/public_html/"
*2 http script capture: "bar.txt"
In our patch however, we use realpath(3) to get the canonicalised path
from ngx_http_core_loc_conf_s.root, which returns the *configured* value
from the root or alias directive. So in the example above, realpath(3)
boils down to the following syscalls:
lstat("/home", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
lstat("/home/$1", 0x7ffd08da6f60) = -1 ENOENT (No such file or directory)
During my review[1] of the initial patch, I didn't actually notice that
what we're doing here is returning NGX_ERROR if the realpath(3) call
fails, which in turn causes an HTTP 500 error.
Since our patch actually made the canonicalisation (and thus additional
syscalls) necessary, we really shouldn't introduce an additional error
so let's - at least for now - silently skip return value if realpath(3)
has failed.
However since we're using the unaltered root from the config we have
another issue, consider this root:
/nix/store/...-abcde/$1
Calling realpath(3) on this path will fail (except if there's a file
called "$1" of course), so even this fix is not enough because it
results in the ETag not being set to the store path hash.
While this is very ugly and we should fix this very soon, it's not as
serious as getting HTTP 500 errors for serving static files.
I added a small NixOS VM test, which uses the example above as a
regression test.
It seems that my memory is failing these days, since apparently I *knew*
about this issue since digging for existing issues in nixpkgs, I found
this similar pull request which I even reviewed:
https://github.com/NixOS/nixpkgs/pull/66532
However, since the comments weren't addressed and the author hasn't
responded to the pull request, I decided to keep this very commit and do
a follow-up pull request.
[1]: https://github.com/NixOS/nixpkgs/pull/48337
Signed-off-by: aszlig <aszlig@nix.build>
Reported-by: @devhell
Acked-by: @7c6f434c
Acked-by: @yorickvP
Merges: https://github.com/NixOS/nixpkgs/pull/80671
Fixes: https://github.com/NixOS/nixpkgs/pull/66532
|
||
|---|---|---|
| .. | ||
| common | ||
| google-oslogin | ||
| hadoop | ||
| hitch | ||
| hocker-fetchdocker | ||
| hydra | ||
| initrd-network-ssh | ||
| installed-tests | ||
| kerberos | ||
| krb5 | ||
| kubernetes | ||
| lorri | ||
| nextcloud | ||
| nfs | ||
| wireguard | ||
| xmpp | ||
| 3proxy.nix | ||
| acme.nix | ||
| all-tests.nix | ||
| ammonite.nix | ||
| atd.nix | ||
| automysqlbackup.nix | ||
| avahi.nix | ||
| babeld.nix | ||
| bcachefs.nix | ||
| beanstalkd.nix | ||
| bees.nix | ||
| bind.nix | ||
| bittorrent.nix | ||
| boot-stage1.nix | ||
| boot.nix | ||
| borgbackup.nix | ||
| buildbot.nix | ||
| buildkite-agents.nix | ||
| caddy.nix | ||
| cadvisor.nix | ||
| cage.nix | ||
| cassandra.nix | ||
| ceph-multi-node.nix | ||
| ceph-single-node.nix | ||
| certmgr.nix | ||
| cfssl.nix | ||
| chromium.nix | ||
| cjdns.nix | ||
| clickhouse.nix | ||
| cloud-init.nix | ||
| cockroachdb.nix | ||
| codimd.nix | ||
| consul.nix | ||
| containers-bridge.nix | ||
| containers-ephemeral.nix | ||
| containers-extra_veth.nix | ||
| containers-hosts.nix | ||
| containers-imperative.nix | ||
| containers-ip.nix | ||
| containers-macvlans.nix | ||
| containers-physical_interfaces.nix | ||
| containers-portforward.nix | ||
| containers-reloadable.nix | ||
| containers-restart_networking.nix | ||
| containers-tmpfs.nix | ||
| corerad.nix | ||
| couchdb.nix | ||
| deluge.nix | ||
| dhparams.nix | ||
| dnscrypt-proxy2.nix | ||
| docker-containers.nix | ||
| docker-edge.nix | ||
| docker-preloader.nix | ||
| docker-registry.nix | ||
| docker-tools-overlay.nix | ||
| docker-tools.nix | ||
| docker.nix | ||
| documize.nix | ||
| dokuwiki.nix | ||
| dovecot.nix | ||
| ec2.nix | ||
| ecryptfs.nix | ||
| elk.nix | ||
| emacs-daemon.nix | ||
| env.nix | ||
| etcd-cluster.nix | ||
| etcd.nix | ||
| fancontrol.nix | ||
| fenics.nix | ||
| ferm.nix | ||
| firefox.nix | ||
| firewall.nix | ||
| fish.nix | ||
| flannel.nix | ||
| fluentd.nix | ||
| fontconfig-default-fonts.nix | ||
| freeswitch.nix | ||
| fsck.nix | ||
| gerrit.nix | ||
| gitdaemon.nix | ||
| gitea.nix | ||
| gitlab.nix | ||
| gitolite-fcgiwrap.nix | ||
| gitolite.nix | ||
| glusterfs.nix | ||
| gnome3-xorg.nix | ||
| gnome3.nix | ||
| gocd-agent.nix | ||
| gocd-server.nix | ||
| gotify-server.nix | ||
| grafana.nix | ||
| graphite.nix | ||
| graylog.nix | ||
| grocy.nix | ||
| gvisor.nix | ||
| haka.nix | ||
| handbrake.nix | ||
| haproxy.nix | ||
| hardened.nix | ||
| hibernate.nix | ||
| home-assistant.nix | ||
| hound.nix | ||
| i3wm.nix | ||
| icingaweb2.nix | ||
| iftop.nix | ||
| ihatemoney.nix | ||
| incron.nix | ||
| influxdb.nix | ||
| initrd-network.nix | ||
| installer.nix | ||
| iodine.nix | ||
| ipfs.nix | ||
| ipv6.nix | ||
| jackett.nix | ||
| jellyfin.nix | ||
| jenkins.nix | ||
| jirafeau.nix | ||
| kafka.nix | ||
| keepalived.nix | ||
| kernel-latest.nix | ||
| kernel-lts.nix | ||
| kernel-testing.nix | ||
| kexec.nix | ||
| keymap.nix | ||
| knot.nix | ||
| ldap.nix | ||
| leaps.nix | ||
| lidarr.nix | ||
| lightdm.nix | ||
| limesurvey.nix | ||
| login.nix | ||
| loki.nix | ||
| magnetico.nix | ||
| mailcatcher.nix | ||
| make-test-python.nix | ||
| make-test.nix | ||
| mathics.nix | ||
| matomo.nix | ||
| matrix-synapse.nix | ||
| mediawiki.nix | ||
| memcached.nix | ||
| mesos.nix | ||
| mesos_test.py | ||
| metabase.nix | ||
| minidlna.nix | ||
| miniflux.nix | ||
| minio.nix | ||
| misc.nix | ||
| moinmoin.nix | ||
| mongodb.nix | ||
| moodle.nix | ||
| morty.nix | ||
| mosquitto.nix | ||
| mpd.nix | ||
| mpich-example.c | ||
| mumble.nix | ||
| munin.nix | ||
| mutable-users.nix | ||
| mxisd.nix | ||
| mysql-backup.nix | ||
| mysql-replication.nix | ||
| mysql.nix | ||
| nagios.nix | ||
| nat.nix | ||
| ndppd.nix | ||
| neo4j.nix | ||
| nesting.nix | ||
| netdata.nix | ||
| networking-proxy.nix | ||
| networking.nix | ||
| nexus.nix | ||
| nghttpx.nix | ||
| nginx-etag.nix | ||
| nginx-pubhtml.nix | ||
| nginx-sso.nix | ||
| nginx.nix | ||
| nix-ssh-serve.nix | ||
| nixos-generate-config.nix | ||
| novacomd.nix | ||
| nsd.nix | ||
| nzbget.nix | ||
| openarena.nix | ||
| openldap.nix | ||
| opensmtpd.nix | ||
| openssh.nix | ||
| openstack-image.nix | ||
| orangefs.nix | ||
| os-prober.nix | ||
| osrm-backend.nix | ||
| overlayfs.nix | ||
| packagekit.nix | ||
| pam-oath-login.nix | ||
| pam-u2f.nix | ||
| pantheon.nix | ||
| paperless.nix | ||
| partition.nix | ||
| pdns-recursor.nix | ||
| peerflix.nix | ||
| pgjwt.nix | ||
| pgmanage.nix | ||
| php-pcre.nix | ||
| plasma5.nix | ||
| plotinus.nix | ||
| postgis.nix | ||
| postgresql-wal-receiver.nix | ||
| postgresql.nix | ||
| powerdns.nix | ||
| pppd.nix | ||
| predictable-interface-names.nix | ||
| printing.nix | ||
| prometheus-exporters.nix | ||
| prometheus.nix | ||
| proxy.nix | ||
| quagga.nix | ||
| rabbitmq.nix | ||
| radarr.nix | ||
| radicale.nix | ||
| redis.nix | ||
| redmine.nix | ||
| resolv.nix | ||
| restic.nix | ||
| riak.nix | ||
| roundcube.nix | ||
| rspamd.nix | ||
| rss2email.nix | ||
| rsyslogd.nix | ||
| run-in-machine.nix | ||
| rxe.nix | ||
| samba.nix | ||
| sanoid.nix | ||
| sddm.nix | ||
| service-runner.nix | ||
| shiori.nix | ||
| signal-desktop.nix | ||
| simple.nix | ||
| slurm.nix | ||
| smokeping.nix | ||
| snapper.nix | ||
| solr.nix | ||
| sonarr.nix | ||
| spacecookie.nix | ||
| spike.nix | ||
| ssh-keys.nix | ||
| strongswan-swanctl.nix | ||
| sudo.nix | ||
| switch-test.nix | ||
| sympa.nix | ||
| syncthing-init.nix | ||
| syncthing-relay.nix | ||
| systemd-analyze.nix | ||
| systemd-confinement.nix | ||
| systemd-networkd-vrf.nix | ||
| systemd-networkd.nix | ||
| systemd-nspawn.nix | ||
| systemd-timesyncd.nix | ||
| systemd.nix | ||
| taskserver.nix | ||
| telegraf.nix | ||
| testdb.sql | ||
| tiddlywiki.nix | ||
| timezone.nix | ||
| tinydns.nix | ||
| tor.nix | ||
| trac.nix | ||
| transmission.nix | ||
| trezord.nix | ||
| trickster.nix | ||
| trilium-server.nix | ||
| udisks2.nix | ||
| upnp.nix | ||
| uwsgi.nix | ||
| vault.nix | ||
| victoriametrics.nix | ||
| virtualbox.nix | ||
| wordpress.nix | ||
| xandikos.nix | ||
| xautolock.nix | ||
| xfce.nix | ||
| xmonad.nix | ||
| xrdp.nix | ||
| xss-lock.nix | ||
| yabar.nix | ||
| yggdrasil.nix | ||
| zfs.nix | ||
| zookeeper.nix | ||
| zsh-history.nix | ||