From 4641497e9c85f6e182c3f134da3f79f324c85e12 Mon Sep 17 00:00:00 2001
From: Maxim Dounin <mdounin@mdounin.ru>
Date: Thu, 14 Mar 2013 12:30:26 +0000
Subject: [PATCH] Request body: avoid linking rb->buf to r->header_in.

Code to reuse of r->request_body->buf in upstream module assumes it's
dedicated buffer, hence after 1.3.9 (r4931) it might reuse r->header_in
if client_body_in_file_only was set, resulting in original request
corruption.  It is considered to be safer to always create a dedicated
buffer for rb->bufs to avoid such problems.
---
 src/http/ngx_http_request_body.c | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/src/http/ngx_http_request_body.c b/src/http/ngx_http_request_body.c
index 1d2acb35e..e0525cc66 100644
--- a/src/http/ngx_http_request_body.c
+++ b/src/http/ngx_http_request_body.c
@@ -104,7 +104,20 @@ ngx_http_read_client_request_body(ngx_http_request_t *r,
         {
             /* the whole request body may be placed in r->header_in */
 
-            rb->buf = r->header_in;
+            b = ngx_calloc_buf(r->pool);
+            if (b == NULL) {
+                rc = NGX_HTTP_INTERNAL_SERVER_ERROR;
+                goto done;
+            }
+
+            b->temporary = 1;
+            b->start = r->header_in->pos;
+            b->pos = r->header_in->pos;
+            b->last = r->header_in->last;
+            b->end = r->header_in->end;
+
+            rb->buf = b;
+
             r->read_event_handler = ngx_http_read_client_request_body_handler;
             r->write_event_handler = ngx_http_request_empty_handler;