passenger icon indicating copy to clipboard operation
passenger copied to clipboard

Published 20 hours ago verified publisher icon phusion

Nginx `passenger_env_var` falsifying values

Open klausmeyer opened this issue 2 years ago • 1 comments

Issue report

Question 1: What is the problem?

When using the nginx module of passenger the option passenger_env_var inside server configs is falsifying values for the headers sent to the application.

For example this:

passenger_env_var HTTP_SECURITY_AAAAA 'public';
passenger_env_var HTTP_SECURITY_BBBBB 'public';
passenger_env_var HTTP_SECURITY_LEVEL 'public';

generates the following headers in the application:

HTTP_SECURITY_AAAAA: public
HTTP_SECURITY_BBBBB: public
- HTTP_SECURITY_LEVEL: public
+ HTTP_SECURITY_LEVEL: publci

It seems to be only the last one declared having this issue.

Also I was only able to reproduce this issue on my new ARM based Macbook. On my older Intel based machine it was working fine.

Question 2: Passenger version and integration mode:

I'm using latest versions of both nginx + passenger currently available via homebrew:

nginx/1.21.6
Phusion Passenger(R) 6.0.13

Question 3: OS or Linux distro, platform (including version):

I've been able to reproduce on MacOS 12.3.1 (ARM) but not on 10.15.7 (Intel)

Question 4: Passenger installation method:

OS X Homebrew

Question 5: Your app's programming language (including any version managers) and framework (including versions):

Ruby 3.1.1 (RVM) / Rack 2.2.3

Question 6: Are you using a PaaS and/or containerization? If so which one?

Only tested on local machines.

Question 7: Anything else about your setup that we should know?

I've created a small repo with minimal setup that can be used to reproduce:

https://github.com/klausmeyer/nginx-passenger-issue

klausmeyer avatar Apr 19 '22 15:04 klausmeyer

I am able to reproduce this with the example app. I can also change the variables to

  passenger_env_var MY_AAAAA 'foobar';
  passenger_env_var MY_BBBBB 'foobar';
  passenger_env_var MY_LEVEL 'foobar';

To clarify these are environment variables and not http headers (but rack will merge them in the environment).

And the last one will become foobra instead of foobar in the rack env.

You can also change the example app to simply raise an exception in the config.ru so passenger does not even start. In the subprocess diagnostics you can also clearly see how the environment variable value swapped some characters around.

I was strangely not able to reproduce this with rails, maybe due to to there being many more environment variables so the error is harder to spot.

mkon avatar Apr 21 '22 15:04 mkon

Sounds very similar to an issue I ran into with Apache environment variables. I ended up needing to stop using the feature. Mine was also using arm (locally and in AWS).

bantonj avatar Dec 12 '22 15:12 bantonj

Thank you!

klausmeyer avatar Aug 23 '23 07:08 klausmeyer