Alias regex use causing core dump as of nginx 1.7.1

Server NGINX
1

Hi, after upgrading from the v1.6.3 to v1.8.0 stable branch an alias I
used
for Roundcubemail no longer works.
I traced the issue back to a probable change made in nginx v1.7.1:
“Bugfix: the “alias” directive used inside a location given by a regular
expression worked incorrectly if the “if” or “limit_except” directives
were
used.”

In version 1.6.3 and 1.7.0 the following works fine:
## Roundcubemail for Remi repository
location ~ ^/mail/(.+.php)$ {
alias /usr/share/roundcubemail/$1;
client_max_body_size 5M;
fastcgi_pass _php;
}
location ~ /mail {
alias /usr/share/roundcubemail/;
client_max_body_size 5M;
try_files $uri $uri/ /index.php;
}

But in v1.7.1 it causes nginx to core dump if I visit the url
Domain.com Login and if I visit Domain.com Login I get taken to the front
page.

[notice] 26221#0: signal 17 (SIGCHLD) received
[alert] 26221#0: worker process 26223 exited on signal 11 (core dumped)
[notice] 26221#0: start worker process 26231
[notice] 26221#0: signal 29 (SIGIO) received

Posted at Nginx Forum:

2

Hello!

On Sun, Jul 26, 2015 at 10:25:19AM -0400, Per Hansson wrote:

       alias /usr/share/roundcubemail/$1;

Domain.com Login and if I visit Domain.com Login I get taken to the front
page.

[notice] 26221#0: signal 17 (SIGCHLD) received
[alert] 26221#0: worker process 26223 exited on signal 11 (core dumped)
[notice] 26221#0: start worker process 26231
[notice] 26221#0: signal 29 (SIGIO) received

Thanks, it was broken by this commit:

http://hg.nginx.org/nginx/rev/c985d90a8d1f

The patch below will fix the segfault. Note though, that the
result will probably won’t work for you. Proper way to fix this
would be to don’t use regex location for /mail, but use a prefix
one instead, i.e.:

location /mail {
    alias /usr/share/roundcubemail/;
    try_files $uri $uri/ /index.php;
}

(Note: no “~”.)

The configuration with regex location previously worked by
coincidence - in try_files nginx used to do string comparison with
regular expression specified, and this happened to produce
sensible result in your case.

Patch:

HG changeset patch

User Maxim D. [email protected]

Date 1437975869 -10800

Mon Jul 27 08:44:29 2015 +0300

Node ID cb8f6e9d9943e2c8bd332443c0018a40353288fe

Parent d34cda011a8ed968c5f2c4469ce43b7e7f0afda6

Fixed segfault with try_files introduced by c985d90a8d1f.

If alias was used in a location given by a regular expression,
nginx used to do wrong thing in try_files if a location name (i.e.,
regular expression) was an exact prefix of URI. The following
configuration triggered a segmentation fault on a request to “/mail”:

location ~ /mail {
    alias /path/to/directory;
    try_files $uri =404;
}

Reported by Per Hansson.

diff --git a/src/http/ngx_http_core_module.c
b/src/http/ngx_http_core_module.c
— a/src/http/ngx_http_core_module.c
+++ b/src/http/ngx_http_core_module.c
@@ -1239,7 +1239,9 @@ ngx_http_core_try_files_phase(ngx_http_r

         *e.pos = '\0';

  •        if (alias && ngx_strncmp(name, clcf->name.data, alias) ==
  1. {
  •        if (alias && alias != NGX_MAX_SIZE_T_VALUE

  •            && ngx_strncmp(name, clcf->name.data, alias) == 0)

  •        {
           ngx_memmove(name, name + alias, len - alias);
           path.len -= alias;
       }


Maxim D.
http://nginx.org/

3

Thanks Maxim, you are correct about not making the /mail location a
regex,
it solves the problem.
As for the core dump I compiled v1.9.3 with your patch and can confirm
it no
longer crashes with the original config.
But as you suspected the config anyway does not work without removing
the
regex for the /mail location…
Thanks for the quick fix!

Posted at Nginx Forum: