Bug #2938
closedLighttpd crashes on wrong return type in lua script
Description
If a lua script is attached with magnet.attract-raw-url-to, this script is expected to either return nothing or a numeric value, which is interpreted as http status code later.
If a boolean is returned, lighttpd crashes with a segfault. This is a lua programming error, but lighttpd should not crash.
Related log message in error log is:
(mod_magnet.c.420) (lua-atpanic) bad argument #-1 (number expected, got boolean)
gdb backtrace ist very short:
Program received signal SIGSEGV, Segmentation fault.
_longjmp_chk () at ../sysdeps/unix/sysv/linux/x86_64/_longjmp_chk.S:167
167 ../sysdeps/unix/sysv/linux/x86_64/____longjmp_chk.S: Datei oder Verzeichnis nicht gefunden.
(gdb) bt
#0 _longjmp_chk () at ../sysdeps/unix/sysv/linux/x86_64/_longjmp_chk.S:167
#1 0x65479cc994dcfd30 in ?? ()
Backtrace stopped: Cannot access memory at address 0x65479cc994dcfd30
Steps to reproduce:
- lighttpd.conf with mod_magnet and a lua script attached with magnet.attract-raw-url-to
- lua script with only one line:
return true
- request to the url with attached lua script
Files
Updated by gstrauss over 5 years ago
- Target version changed from 1.4.54 to 1.4.x
Updated by gstrauss over 5 years ago
Based on your description, please have a look at mod_magnet.c line 968:
lua_return_value = (int) luaL_optinteger(L, -1, -1);
That code expects an int and is possibly what is resulting in the lua panic, but I don't have time at this moment to test that theory. The code should probably verify the existence and type of argument at that position on the stack before calling luaL_optinteger().
Updated by flynn over 5 years ago
- File lighttpd-mod_magnet-fix_wrong_return-type.diff lighttpd-mod_magnet-fix_wrong_return-type.diff added
This patch fixes the problem for me:
- behaviour with numeric and nil types is unchanged
- all other types are handled like nil type (return -1), but a log messages is written and the crash is avoided
Updated by gstrauss over 5 years ago
Should lua_return_type == LUA_TNIL be an error, too? This is a programming interface. If someone is not returning a value per the API, then we should probably not assume that everything is ok without at least logging.
Updated by flynn over 5 years ago
From my current understanding and usage of lua scripts with mod_magnet there two use cases:
1.) generating content with lua, redirect the request or request authentication
In these cases the lua script must return a valid http status code and maybe additional header and/or content
Returning a number means: the request ends here2.) the lua script just modifies/verifies the request and has nothing to change.
Take a look at the traffic quota example in the AbsoLUAtion page of this wiki.
If the request is not blocked, the script just ends returning nothing, which is nil in Lua.
It does not make a difference, whether nil is returned explicit or the script just ends (I just verified both cases).
Another use case: the lua script checks for authentication:
- either the request is missing the the needed data (e.e. header), than we have case 1.), a redirect to a login url or a status 401
- or the request is verified and can proceed
Returning nothing/nil in a lua script just means: continue with the requestIf returning nil is considred an error, this would break a lot of existing scripts.
The example "Do basic HTTP-Auth against a MySQL DB/Table" in the AbsoLUAtion page ends with the follwing two lines
-- return nothing to proceed normal operation
returnUpdated by gstrauss over 5 years ago
The documentation matches your patch. Thanks!
https://redmine.lighttpd.net/projects/lighttpd/wiki/Docs_ModMagnet#Status-Codes
Updated by gstrauss over 5 years ago
- Status changed from New to Patch Pending
- Target version changed from 1.4.x to 1.4.54
Updated by gstrauss over 5 years ago
- Status changed from Patch Pending to Fixed
- % Done changed from 0 to 100
Applied in changeset 8064b7483ae4b2bd58a5ab56b2bf7e2663cc094c.
Also available in: Atom