nginx.git/src/http/modules/ngx_http_fastcgi_module.c, branch release-1.28.3 nginx Use NGX_CONF_OK in some function return checks. 2025-12-23T18:40:33+00:00 Andrew Clayton a.clayton@nginx.com 2025-05-21T21:19:32+00:00 36744831036cc4f68b32f02d1cd1bd33352bd298 The functions ngx_http_merge_types() & ngx_conf_merge_path_value() return either NGX_CONF_OK aka NULL aka ((void *)0) (probably) or NGX_CONF_ERROR aka ((void *)-1). They don't return an integer constant which is what NGX_OK aka (0) is. Lets use the right thing in the function return check. This was found with -Wzero-as-null-pointer-constant which was enabled for C in GCC 15 (not enabled with Wall or Wextra... yet). Link: <https://gcc.gnu.org/bugzilla/show_bug.cgi?id=117059> 
The functions ngx_http_merge_types() & ngx_conf_merge_path_value()
return either NGX_CONF_OK aka NULL aka ((void *)0) (probably) or
NGX_CONF_ERROR aka ((void *)-1).

They don't return an integer constant which is what NGX_OK aka (0) is.

Lets use the right thing in the function return check.

This was found with -Wzero-as-null-pointer-constant which was enabled
for C in GCC 15 (not enabled with Wall or Wextra... yet).

Link: <https://gcc.gnu.org/bugzilla/show_bug.cgi?id=117059>
Upstream: disallow empty path in proxy_store and friends. 2024-11-25T13:37:11+00:00 Sergey Kandaurov pluknet@nginx.com 2024-11-21T08:35:50+00:00 a448dd52ee27ec3a550cb7d03fd27153f4799f0c Renaming a temporary file to an empty path ("") returns NGX_ENOPATH with a subsequent ngx_create_full_path() to create the full path. This function skips initial bytes as part of path separator lookup, which causes out of bounds access on short strings. The fix is to avoid renaming a temporary file to an obviously invalid path, as well as explicitly forbid such syntax for literal values. Although Coverity reports about potential type underflow, it is not actually possible because the terminating '\0' is always included. Notably, the run-time check is sufficient enough for Win32 as well. Other short invalid values result either in NGX_ENOENT or NGX_EEXIST and "MoveFile() .. failed" critical log messages, which involves a separate error handling. Prodded by Coverity (CID 1605485). 
Renaming a temporary file to an empty path ("") returns NGX_ENOPATH
with a subsequent ngx_create_full_path() to create the full path.
This function skips initial bytes as part of path separator lookup,
which causes out of bounds access on short strings.

The fix is to avoid renaming a temporary file to an obviously invalid
path, as well as explicitly forbid such syntax for literal values.

Although Coverity reports about potential type underflow, it is not
actually possible because the terminating '\0' is always included.

Notably, the run-time check is sufficient enough for Win32 as well.
Other short invalid values result either in NGX_ENOENT or NGX_EEXIST
and "MoveFile() .. failed" critical log messages, which involves a
separate error handling.

Prodded by Coverity (CID 1605485).
FastCGI: fixed create_loc_conf comments after 05b1a8f1e. 2024-11-12T13:21:22+00:00 Sergey Kandaurov pluknet@nginx.com 2024-10-08T13:48:15+00:00 a5e152b3d9addf4ae35f40ca17ab4d62bdcbe69b 






Upstream: variables support in proxy_limit_rate and friends.
2023-11-25T21:57:09+00:00

J Carter
jordan.carter@outlook.com

2023-11-25T21:57:09+00:00

71ca978a352e025151a78bfcedc0d64814b062cb












Upstream: fixed handling of Status headers without reason-phrase.
2023-08-31T19:59:17+00:00

Maxim Dounin
mdounin@mdounin.ru

2023-08-31T19:59:17+00:00

fa46a5719924a5a4c48c515a903e0c46a4d98bcf

Status header with an empty reason-phrase, such as "Status: 404 ", is
valid per CGI specification, but looses the trailing space during parsing.
Currently, this results in "HTTP/1.1 404" HTTP status line in the response,
which violates HTTP specification due to missing trailing space.

With this change, only the status code is used from such short Status
header lines, so nginx will generate status line itself, with the space
and appropriate reason phrase if available.

Reported at:
https://mailman.nginx.org/pipermail/nginx/2023-August/EX7G4JUUHJWJE5UOAZMO5UD6OJILCYGX.html





Status header with an empty reason-phrase, such as "Status: 404 ", is
valid per CGI specification, but looses the trailing space during parsing.
Currently, this results in "HTTP/1.1 404" HTTP status line in the response,
which violates HTTP specification due to missing trailing space.

With this change, only the status code is used from such short Status
header lines, so nginx will generate status line itself, with the space
and appropriate reason phrase if available.

Reported at:
https://mailman.nginx.org/pipermail/nginx/2023-August/EX7G4JUUHJWJE5UOAZMO5UD6OJILCYGX.html







Upstream: header handlers can now return parsing errors.
2022-05-30T18:25:48+00:00

Maxim Dounin
mdounin@mdounin.ru

2022-05-30T18:25:48+00:00

d22157fade0c3dc05b860be8d7e3eff4a56cb7d3

With this change, duplicate Content-Length and Transfer-Encoding headers
are now rejected.  Further, responses with invalid Content-Length or
Transfer-Encoding headers are now rejected, as well as responses with both
Content-Length and Transfer-Encoding.





With this change, duplicate Content-Length and Transfer-Encoding headers
are now rejected.  Further, responses with invalid Content-Length or
Transfer-Encoding headers are now rejected, as well as responses with both
Content-Length and Transfer-Encoding.







FastCGI: combining headers with identical names (ticket #1724).
2022-05-30T18:25:27+00:00

Maxim Dounin
mdounin@mdounin.ru

2022-05-30T18:25:27+00:00

d8a7c653e4b8e842c947c0a550a7bc5a7812058a

FastCGI responder is expected to receive CGI/1.1 environment variables
in the parameters (see section "6.2 Responder" of the FastCGI specification).
Obviously enough, there cannot be multiple environment variables with
the same name.

Further, CGI specification (RFC 3875, section "4.1.18. Protocol-Specific
Meta-Variables") explicitly requires to combine headers: "If multiple
header fields with the same field-name are received then the server MUST
rewrite them as a single value having the same semantics".





FastCGI responder is expected to receive CGI/1.1 environment variables
in the parameters (see section "6.2 Responder" of the FastCGI specification).
Obviously enough, there cannot be multiple environment variables with
the same name.

Further, CGI specification (RFC 3875, section "4.1.18. Protocol-Specific
Meta-Variables") explicitly requires to combine headers: "If multiple
header fields with the same field-name are received then the server MUST
rewrite them as a single value having the same semantics".







Upstream: fixed logging level of upstream invalid header errors.
2021-10-18T13:46:59+00:00

Maxim Dounin
mdounin@mdounin.ru

2021-10-18T13:46:59+00:00

dde319ee0c9de26a6f104feb062cfffaa32c16c0

In b87b7092cedb (nginx 1.21.1), logging level of "upstream sent invalid
header" errors was accidentally changed to "info".  This change restores
the "error" level, which is a proper logging level for upstream-side
errors.





In b87b7092cedb (nginx 1.21.1), logging level of "upstream sent invalid
header" errors was accidentally changed to "info".  This change restores
the "error" level, which is a proper logging level for upstream-side
errors.







Improved logging of invalid headers.
2021-06-28T15:01:20+00:00

Maxim Dounin
mdounin@mdounin.ru

2021-06-28T15:01:20+00:00

7587778a33bea0ce6f203a8c4de18e33f38b9582

In 71edd9192f24 logging of invalid headers which were rejected with the
NGX_HTTP_PARSE_INVALID_HEADER error was restricted to just the "client
sent invalid header line" message, without any attempts to log the header
itself.

This patch returns logging of the header up to the invalid character and
the character itself.  The r->header_end pointer is now properly set
in all cases to make logging possible.

The same logging is also introduced when parsing headers from upstream
servers.





In 71edd9192f24 logging of invalid headers which were rejected with the
NGX_HTTP_PARSE_INVALID_HEADER error was restricted to just the "client
sent invalid header line" message, without any attempts to log the header
itself.

This patch returns logging of the header up to the invalid character and
the character itself.  The r->header_end pointer is now properly set
in all cases to make logging possible.

The same logging is also introduced when parsing headers from upstream
servers.







FastCGI: fixed zero size buf alerts on extra data (ticket #2018).
2020-07-27T13:02:15+00:00

Maxim Dounin
mdounin@mdounin.ru

2020-07-27T13:02:15+00:00

d2744ad26fef1e4f4f6e9c12e95b57866345c071

After 05e42236e95b (1.19.1) responses with extra data might result in
zero size buffers being generated and "zero size buf" alerts in writer
(if f->rest happened to be 0 when processing additional stdout data).





After 05e42236e95b (1.19.1) responses with extra data might result in
zero size buffers being generated and "zero size buf" alerts in writer
(if f->rest happened to be 0 when processing additional stdout data).