nginx.git, branch release-1.17.7 nginx nginx-1.17.7-RELEASE 2019-12-24T15:00:09+00:00 Maxim Dounin mdounin@mdounin.ru 2019-12-24T15:00:09+00:00 e5595b37e3e759300c0de3d93fe6861c907ca621 






SSL: reworked posted next events.
2019-12-24T14:24:59+00:00

Maxim Dounin
mdounin@mdounin.ru

2019-12-24T14:24:59+00:00

24f18aea8ce1e847362c6bfa586bc0807ebae90d

Introduced in 9d2ad2fb4423 available bytes handling in SSL relied
on connection read handler being overwritten to set the ready flag
and the amount of available bytes.  This approach is, however, does
not work properly when connection read handler is changed, for example,
when switching to a next pipelined request, and can result in unexpected
connection timeouts, see here:

http://mailman.nginx.org/pipermail/nginx-devel/2019-December/012825.html

Fix is to introduce ngx_event_process_posted_next() instead, which
will set ready and available regardless of how event handler is set.





Introduced in 9d2ad2fb4423 available bytes handling in SSL relied
on connection read handler being overwritten to set the ready flag
and the amount of available bytes.  This approach is, however, does
not work properly when connection read handler is changed, for example,
when switching to a next pipelined request, and can result in unexpected
connection timeouts, see here:

http://mailman.nginx.org/pipermail/nginx-devel/2019-December/012825.html

Fix is to introduce ngx_event_process_posted_next() instead, which
will set ready and available regardless of how event handler is set.







HTTP/2: introduced separate handler to retry stream close.
2019-12-23T18:25:21+00:00

Maxim Dounin
mdounin@mdounin.ru

2019-12-23T18:25:21+00:00

810559665a704957431b387572af99a82039162a

When ngx_http_v2_close_stream_handler() is used to retry stream close
after queued frames are sent, client timeouts on the stream can be
logged multiple times and/or in addition to already happened errors.
To resolve this, separate ngx_http_v2_retry_close_stream_handler()
was introduced, which does not try to log timeouts.





When ngx_http_v2_close_stream_handler() is used to retry stream close
after queued frames are sent, client timeouts on the stream can be
logged multiple times and/or in addition to already happened errors.
To resolve this, separate ngx_http_v2_retry_close_stream_handler()
was introduced, which does not try to log timeouts.







HTTP/2: fixed socket leak with queued frames (ticket #1689).
2019-12-23T18:25:17+00:00

Maxim Dounin
mdounin@mdounin.ru

2019-12-23T18:25:17+00:00

49709f75b262c483550cc826471839f624765ab1

If a stream is closed with queued frames, it is possible that no further
write events will occur on the stream, leading to the socket leak.
To fix this, the stream's fake connection read handler is set to
ngx_http_v2_close_stream_handler(), to make sure that finalizing the
connection with ngx_http_v2_finalize_connection() will be able to
close the stream regardless of the current number of queued frames.

Additionally, the stream's fake connection fc->error flag is explicitly
set, so ngx_http_v2_handle_stream() will post a write event when queued
frames are finally sent even if stream flow control window is exhausted.





If a stream is closed with queued frames, it is possible that no further
write events will occur on the stream, leading to the socket leak.
To fix this, the stream's fake connection read handler is set to
ngx_http_v2_close_stream_handler(), to make sure that finalizing the
connection with ngx_http_v2_finalize_connection() will be able to
close the stream regardless of the current number of queued frames.

Additionally, the stream's fake connection fc->error flag is explicitly
set, so ngx_http_v2_handle_stream() will post a write event when queued
frames are finally sent even if stream flow control window is exhausted.







Dav: added checks for chunked to body presence conditions.
2019-12-23T17:39:27+00:00

Maxim Dounin
mdounin@mdounin.ru

2019-12-23T17:39:27+00:00

5e5fa2e9e57b713e445b1737005ff6a202bda8ad

These checks were missed when chunked support was introduced.  And also
added an explicit error message to ngx_http_dav_copy_move_handler()
(it was missed for some reason, in contrast to DELETE and MKCOL handlers).





These checks were missed when chunked support was introduced.  And also
added an explicit error message to ngx_http_dav_copy_move_handler()
(it was missed for some reason, in contrast to DELETE and MKCOL handlers).







Update manpage, sort command line options.
2019-12-23T15:56:21+00:00

Sergey A. Osokin
osa@FreeBSD.org.ru

2019-12-23T15:56:21+00:00

d97ccc831a6f4812cb9f086cbcdfdfdcae24f5df












Discard request body when redirecting to a URL via error_page.
2019-12-23T12:45:46+00:00

Ruslan Ermilov
ru@nginx.com

2019-12-23T12:45:46+00:00

c1be55f97211d38b69ac0c2027e6812ab8b1b94e

Reported by Bert JW Regeer and Francisco Oca Gonzalez.





Reported by Bert JW Regeer and Francisco Oca Gonzalez.







Rewrite: disallow empty replacements.
2019-12-16T12:19:01+00:00

Ruslan Ermilov
ru@nginx.com

2019-12-16T12:19:01+00:00

4c031f9a6a879bcc4e86f5b7d4177996c9bca4cd

While empty replacements were caught at run-time, parsing code
of the "rewrite" directive expects that a minimum length of the
"replacement" argument is 1.





While empty replacements were caught at run-time, parsing code
of the "rewrite" directive expects that a minimum length of the
"replacement" argument is 1.







Tolerate '\0' in URI when mapping URI to path.
2019-12-16T12:19:01+00:00

Ruslan Ermilov
ru@nginx.com

2019-12-16T12:19:01+00:00

a5895eb502747f396d3901a948834cd87d5fb0c3

If a rewritten URI has the null character, only a part of URI was
copied to a memory buffer allocated for path.  In some setups this
could be exploited to expose uninitialized memory via the Location
header.





If a rewritten URI has the null character, only a part of URI was
copied to a memory buffer allocated for path.  In some setups this
could be exploited to expose uninitialized memory via the Location
header.







Rewrite: fixed segfault with rewritten URI and "alias".
2019-12-16T12:19:01+00:00

Ruslan Ermilov
ru@nginx.com

2019-12-16T12:19:01+00:00

af8ea176a743e97d767b3e1439d549b52dd0367a

The "alias" directive cannot be used in the same location where URI
was rewritten.  This has been detected in the "rewrite ... break"
case, but not when the standalone "break" directive was used.

This change also fixes proxy_pass with URI component in a similar
case:

       location /aaa/ {
           rewrite ^ /xxx/yyy;
           break;
           proxy_pass http://localhost:8080/bbb/;
       }

Previously, the "/bbb/yyy" would be sent to a backend instead of
"/xxx/yyy".  And if location's prefix was longer than the rewritten
URI, a segmentation fault might occur.





The "alias" directive cannot be used in the same location where URI
was rewritten.  This has been detected in the "rewrite ... break"
case, but not when the standalone "break" directive was used.

This change also fixes proxy_pass with URI component in a similar
case:

       location /aaa/ {
           rewrite ^ /xxx/yyy;
           break;
           proxy_pass http://localhost:8080/bbb/;
       }

Previously, the "/bbb/yyy" would be sent to a backend instead of
"/xxx/yyy".  And if location's prefix was longer than the rewritten
URI, a segmentation fault might occur.