Upstream: disabled upgrading in subrequests.

Upgrading an upstream connection is usually followed by reading from the client
which a subrequest is not allowed to do.  Moreover, accessing the header_in
request field while processing upgraded connection ends up with a null pointer
dereference since the header_in buffer is only created for the the main request.

diff --git a/src/http/ngx_http_upstream.c b/src/http/ngx_http_upstream.c
index c29ee97d86618698cff53201965bba08d9e31b4a..75f463ba79956d2f01a7858c9fc24bf722ab1b56 100644 (file)
--- a/src/http/ngx_http_upstream.c
+++ b/src/http/ngx_http_upstream.c
@@ -3206,6 +3206,13 @@ ngx_http_upstream_upgrade(ngx_http_request_t *r, ngx_http_upstream_t *u)
 
     /* TODO: prevent upgrade if not requested or not possible */
 
+    if (r != r->main) {
+        ngx_log_error(NGX_LOG_ERR, c->log, 0,
+                      "connection upgrade in subrequest");
+        ngx_http_upstream_finalize_request(r, u, NGX_ERROR);
+        return;
+    }
+
     r->keepalive = 0;
     c->log->action = "proxying upgraded connection";