nginx.git/src/core/ngx_string.c, branch release-1.29.2 nginx Mail: xtext encoding (RFC 3461) in XCLIENT LOGIN. 2025-09-26T13:04:20+00:00 Sergey Kandaurov pluknet@nginx.com 2025-09-11T14:23:10+00:00 6f81314a070201afc4e25b975b1f915698cff634 The XCLIENT command uses xtext encoding for attribute values, as specified in https://www.postfix.org/XCLIENT_README.html. Reported by Igor Morgenstern of Aisle Research. 
The XCLIENT command uses xtext encoding for attribute values,
as specified in https://www.postfix.org/XCLIENT_README.html.

Reported by Igor Morgenstern of Aisle Research.
Core: stricter UTF-8 handling in ngx_utf8_decode(). 2023-02-22T23:09:50+00:00 Yugo Horie u5.horie@gmail.com 2023-02-22T23:09:50+00:00 2c5fccd4693c0a68e1c72d65e016ba83e861120e An UTF-8 octet sequence cannot start with a 11111xxx byte (above 0xf8), see https://datatracker.ietf.org/doc/html/rfc3629#section-3. Previously, such bytes were accepted by ngx_utf8_decode() and misinterpreted as 11110xxx bytes (as in a 4-byte sequence). While unlikely, this can potentially cause issues. Fix is to explicitly reject such bytes in ngx_utf8_decode(). 
An UTF-8 octet sequence cannot start with a 11111xxx byte (above 0xf8),
see https://datatracker.ietf.org/doc/html/rfc3629#section-3.  Previously,
such bytes were accepted by ngx_utf8_decode() and misinterpreted as 11110xxx
bytes (as in a 4-byte sequence).  While unlikely, this can potentially cause
issues.

Fix is to explicitly reject such bytes in ngx_utf8_decode().
Core: escaping of chars not allowed in URIs per RFC 3986. 2021-06-28T15:01:11+00:00 Maxim Dounin mdounin@mdounin.ru 2021-06-28T15:01:11+00:00 fee09fc49d510de0078f9bc7fc18dc179cceb62b Per RFC 3986 only the following characters are allowed in URIs unescaped: unreserved = ALPHA / DIGIT / "-" / "." / "_" / "~" gen-delims = ":" / "/" / "?" / "#" / "[" / "]" / "@" sub-delims = "!" / "$" / "&" / "'" / "(" / ")" / "*" / "+" / "," / ";" / "=" And "%" can appear as a part of escaping itself. The following characters are not allowed and need to be escaped: %00-%1F, %7F-%FF, " ", """, "<", ">", "\", "^", "`", "{", "|", "}". Not escaping ">" is known to cause problems at least with MS Exchange (see http://nginx.org/pipermail/nginx-ru/2010-January/031261.html) and in Tomcat (ticket #2191). The patch adds escaping of the following chars in all URI parts: """, "<", ">", "\", "^", "`", "{", "|", "}". Note that comments are mostly preserved to outline important characters being escaped. 
Per RFC 3986 only the following characters are allowed in URIs unescaped:

unreserved    = ALPHA / DIGIT / "-" / "." / "_" / "~"
gen-delims    = ":" / "/" / "?" / "#" / "[" / "]" / "@"
sub-delims    = "!" / "$" / "&" / "'" / "(" / ")"
              / "*" / "+" / "," / ";" / "="

And "%" can appear as a part of escaping itself.  The following
characters are not allowed and need to be escaped: %00-%1F, %7F-%FF,
" ", """, "<", ">", "\", "^", "`", "{", "|", "}".

Not escaping ">" is known to cause problems at least with MS Exchange (see
http://nginx.org/pipermail/nginx-ru/2010-January/031261.html) and in
Tomcat (ticket #2191).

The patch adds escaping of the following chars in all URI parts: """, "<",
">", "\", "^", "`", "{", "|", "}".  Note that comments are mostly preserved
to outline important characters being escaped.
Core: fixed comment about escaping in arguments. 2021-06-28T15:01:09+00:00 Maxim Dounin mdounin@mdounin.ru 2021-06-28T15:01:09+00:00 31d1c34b394ee30b30084ff160133708d0d3b030 After 4954530db2af, the ";" character is escaped by ngx_escape_uri(NGX_ESCAPE_ARGS). 
After 4954530db2af, the ";" character is escaped by
ngx_escape_uri(NGX_ESCAPE_ARGS).
Core: fixed comment about msie_refresh escaping. 2021-05-19T13:24:13+00:00 Ruslan Ermilov ru@nginx.com 2021-05-19T13:24:13+00:00 6029e211c63895c44a942bacc32c6d2f565cc3e3 After 12a656452ad1, the "%" character is no longer escaped by ngx_escape_uri(NGX_ESCAPE_REFRESH). 
After 12a656452ad1, the "%" character is no longer escaped by
ngx_escape_uri(NGX_ESCAPE_REFRESH).
Core: added format specifiers to output binary data as hex. 2020-10-28T07:56:11+00:00 Vladimir Homutov vl@nginx.com 2020-10-28T07:56:11+00:00 3c0427373381097a9e25ccc2cb46bbc1ccac87a2 Now "s", "V", and "v" format specifiers may be prefixed with "x" (lowercase) or "X" (uppercase) to output corresponding data in hexadecimal format. In collaboration with Maxim Dounin. 
Now "s", "V", and "v" format specifiers may be prefixed with "x" (lowercase)
or "X" (uppercase) to output corresponding data in hexadecimal format.

In collaboration with Maxim Dounin.
Fixed incorrect length handling in ngx_utf8_length(). 2019-04-15T17:14:07+00:00 Maxim Dounin mdounin@mdounin.ru 2019-04-15T17:14:07+00:00 f09eae2a7586c5149fe7eaa497c8ff1be684270f Previously, ngx_utf8_decode() was called from ngx_utf8_length() with incorrect length, potentially resulting in out-of-bounds read when handling invalid UTF-8 strings. In practice out-of-bounds reads are not possible though, as autoindex, the only user of ngx_utf8_length(), provides null-terminated strings, and ngx_utf8_decode() anyway returns an errors when it sees a null in the middle of an UTF-8 sequence. Reported by Yunbin Liu. 
Previously, ngx_utf8_decode() was called from ngx_utf8_length() with
incorrect length, potentially resulting in out-of-bounds read when
handling invalid UTF-8 strings.

In practice out-of-bounds reads are not possible though, as autoindex, the
only user of ngx_utf8_length(), provides null-terminated strings, and
ngx_utf8_decode() anyway returns an errors when it sees a null in the
middle of an UTF-8 sequence.

Reported by Yunbin Liu.
Core: ngx_explicit_memzero(). 2018-11-15T18:28:02+00:00 Maxim Dounin mdounin@mdounin.ru 2018-11-15T18:28:02+00:00 6c3838f9ed45f5c2aa6a971a0da3cb6ffe45b61e 






Fixed handling of non-null-terminated unix sockets.
2017-10-04T18:19:38+00:00

Maxim Dounin
mdounin@mdounin.ru

2017-10-04T18:19:38+00:00

cba23f88ec6740b7f8d6a1383254708a91d37625

At least FreeBSD, macOS, NetBSD, and OpenBSD can return unix sockets
with non-null-terminated sun_path.  Additionally, the address may become
non-null-terminated if it does not fit into the buffer provided and was
truncated (may happen on macOS, NetBSD, and Solaris, which allow unix socket
addresess larger than struct sockaddr_un).  As such, ngx_sock_ntop() might
overread the sockaddr provided, as it used "%s" format and thus assumed
null-terminated string.

To fix this, the ngx_strnlen() function was introduced, and it is now used
to calculate correct length of sun_path.





At least FreeBSD, macOS, NetBSD, and OpenBSD can return unix sockets
with non-null-terminated sun_path.  Additionally, the address may become
non-null-terminated if it does not fit into the buffer provided and was
truncated (may happen on macOS, NetBSD, and Solaris, which allow unix socket
addresess larger than struct sockaddr_un).  As such, ngx_sock_ntop() might
overread the sockaddr provided, as it used "%s" format and thus assumed
null-terminated string.

To fix this, the ngx_strnlen() function was introduced, and it is now used
to calculate correct length of sun_path.







Parenthesized ASCII-related calculations.
2017-07-17T14:23:51+00:00

Valentin Bartenev
vbart@nginx.com

2017-07-17T14:23:51+00:00

9197a3c8741a8832e6f6ed24a72dc5b078d840fd

This also fixes potential undefined behaviour in the range and slice filter
modules, caused by local overflows of signed integers in expressions.





This also fixes potential undefined behaviour in the range and slice filter
modules, caused by local overflows of signed integers in expressions.