nginx.git, branch release-1.13.3

nginx-1.13.3-RELEASE

2017-07-11T13:18:30+00:00

Range filter: avoid negative range start.

2017-07-11T13:06:26+00:00

Suffix ranges no longer allowed to set negative start values, to prevent
ranges with negative start from appearing even if total size protection
will be removed.

Range filter: protect from total size overflows.

2017-07-11T13:06:23+00:00

The overflow can be used to circumvent the restriction on total size of
ranges introduced in c2a91088b0c0 (1.1.2).  Additionally, overflow
allows producing ranges with negative start (such ranges can be created
by using a suffix, "bytes=-100"; normally this results in 200 due to
the total size check).  These can result in the following errors in logs:

[crit] ... pread() ... failed (22: Invalid argument)
[alert] ... sendfile() failed (22: Invalid argument)

When using cache, it can be also used to reveal cache file header.
It is believed that there are no other negative effects, at least with
standard nginx modules.

In theory, this can also result in memory disclosure and/or segmentation
faults if multiple ranges are allowed, and the response is returned in a
single in-memory buffer.  This never happens with standard nginx modules
though, as well as known 3rd party modules.

Fix is to properly protect from possible overflow when incrementing size.

Variables: use ngx_http_variable_null_value where appropriate.

2017-07-07T11:34:21+00:00

Resolver: cancelable resend timer event.

2017-07-04T15:50:41+00:00

It is safe because re-sending still works during graceful shutdown as
long as resolving takes place (and resolve tasks set their own timeouts
that are not cancelable).

Also, the new ctx->cancelable flag can be set to make resolve task's
timeout event cancelable.

Resolver: factored out setting a timer for resolver timeout.

2017-07-04T15:46:30+00:00

No functional changes.

Slab: fixed small allocations on systems with large pagesize.

2017-07-04T15:32:30+00:00

Notably, on ppc64 with 64k pagesize, slab 0 (of size 8) requires
128 64-bit elements for bitmasks.  The code bogusly assumed that
one uintptr_t is enough for bitmasks plus at least one free slot.

Slab: style.

2017-07-04T15:32:28+00:00

Resolver: fixed possible use-after-free while resolving SRV.

2017-07-04T15:07:29+00:00

Resolving an SRV record includes resolving its host names in subrequests.
Previously, if memory allocation failed while reporting a subrequest result
after receiving a response from a DNS server, the SRV resolve handler was
called immediately with the NGX_ERROR state.  However, if the SRV record
included another copy of the resolved name, it was reported once again.
This could trigger the use-after-free memory access after SRV resolve
handler freed the resolve context by calling ngx_resolve_name_done().

Now the SRV resolve handler is called only when all its subrequests are
completed.

Proxy: split configured header names and values.

2017-03-15T22:55:35+00:00

Previously, each configured header was represented in one of two ways,
depending on whether or not its value included any variables.

If the value didn't include any variables, then it would be represented
as as a single script that contained complete header line with HTTP/1.1
delimiters, i.e.:

     "Header: value\r\n"

But if the value included any variables, then it would be represented
as a series of three scripts: first contained header name and the ": "
delimiter, second evaluated to header value, and third contained only
"\r\n", i.e.:

     "Header: "
     "$value"
     "\r\n"

This commit changes that, so that each configured header is represented
as a series of two scripts: first contains only header name, and second
contains (or evaluates to) only header value, i.e.:

    "Header"
    "$value"

or

    "Header"
    "value"

This not only makes things more consistent, but also allows header name
and value to be accessed separately.

Signed-off-by: Piotr Sikora