reorg files

env/Dockerfile

@@ -0,0 +1,24 @@
+FROM ubuntu:22.04
+ENV DEBIAN_FRONTEND=noninteractive
+
+RUN apt-get update && apt-get install -y \
+    gcc make libpcre2-dev libssl-dev zlib1g-dev \
+    util-linux python3 curl git \
+    && rm -rf /var/lib/apt/lists/*
+
+RUN git clone https://github.com/nginx/nginx.git /nginx-src \
+    && cd /nginx-src && git checkout 98fc3bb78
+
+RUN cd /nginx-src && ./auto/configure \
+    --builddir=build \
+    --with-cc-opt='-g -O2 -fno-omit-frame-pointer' \
+    --with-ld-opt='-Wl,-z,relro -Wl,-z,now' \
+    --with-http_ssl_module --with-http_v2_module \
+    && make -j$(nproc)
+
+WORKDIR /app
+COPY nginx.conf server.py entrypoint.sh ./
+RUN chmod +x entrypoint.sh && mkdir -p logs tmp
+
+ENTRYPOINT ["/app/entrypoint.sh"]
+EXPOSE 19321

env/docker-compose.yml

@@ -0,0 +1,12 @@
+services:
+  nginx:
+    build: .
+    cap_add:
+      - SYS_PTRACE
+    security_opt:
+      - seccomp=unconfined
+    init: true
+    ports:
+      - "19321:19321"
+    tty: true
+    stdin_open: true

env/entrypoint.sh

@@ -0,0 +1,5 @@
+#!/bin/bash
+cd /app
+python3 server.py &>/dev/null &
+# setarch -R disables ASLR for the launched process (deterministic addresses)
+exec setarch x86_64 -R /nginx-src/build/nginx -p /app -c /app/nginx.conf

env/nginx.conf

@@ -0,0 +1,59 @@
+daemon off;
+worker_processes 1;
+error_log logs/error.log;
+pid tmp/nginx.pid;
+worker_rlimit_core 500M;
+working_directory tmp;
+
+events {
+    worker_connections 1024;
+}
+
+http {
+    access_log off;
+    client_body_temp_path tmp;
+    proxy_temp_path tmp;
+    fastcgi_temp_path tmp;
+    uwsgi_temp_path tmp;
+    scgi_temp_path tmp;
+
+    upstream backend {
+        server 127.0.0.1:19323;
+    }
+
+    server {
+        listen 19322;
+        location / { return 200 "backend ok\n"; }
+    }
+
+    server {
+        listen 19321;
+        request_pool_size 7920;
+        connection_pool_size 4096;
+        client_header_buffer_size 2048;
+
+        # The rewrite + set combination triggers the bug:
+        # - rewrite sets e->is_args = 1 (due to '?' in replacement)
+        # - set $original_endpoint $1 allocates buffer using raw capture
+        #   length, but copies with escape expansion (3x for '+' chars)
+        location ~ ^/api/(.*)$ {
+            rewrite ^/api/(.*)$ /internal?migrated=true;
+            set $original_endpoint $1;
+        }
+
+        location /internal {
+            internal;
+            proxy_pass http://backend;
+            proxy_read_timeout 60s;
+        }
+
+        # Spray: POST body stored in pool memory (binary data, NUL bytes allowed)
+        location /spray {
+            client_body_in_single_buffer on;
+            proxy_pass http://backend;
+            proxy_read_timeout 60s;
+        }
+
+        location / { return 200 "ok\n"; }
+    }
+}

env/server.py

@@ -0,0 +1,32 @@
+#!/usr/bin/env python3
+"""Simple HTTP backend with configurable delay via X-Delay header."""
+import http.server
+import time
+import socketserver
+
+class BackendHandler(http.server.BaseHTTPRequestHandler):
+    def do_GET(self):
+        delay = float(self.headers.get('X-Delay', '5'))
+        time.sleep(delay)
+        self.send_response(200)
+        self.send_header('Content-Type', 'text/plain')
+        self.end_headers()
+        self.wfile.write(b'backend ok\n')
+
+    def do_POST(self):
+        length = int(self.headers.get('Content-Length', 0))
+        self.rfile.read(length)
+        delay = float(self.headers.get('X-Delay', '5'))
+        time.sleep(delay)
+        self.send_response(200)
+        self.send_header('Content-Type', 'text/plain')
+        self.end_headers()
+        self.wfile.write(b'backend ok\n')
+
+    def log_message(self, format, *args):
+        pass
+
+socketserver.TCPServer.allow_reuse_address = True
+with socketserver.TCPServer(("127.0.0.1", 19323), BackendHandler) as httpd:
+    print("Backend on :19323")
+    httpd.serve_forever()