nginx.git/src/http/modules, branch release-1.15.9 nginx SSL: fixed possible segfault with dynamic certificates. 2019-02-25T18:16:26+00:00 Maxim Dounin mdounin@mdounin.ru 2019-02-25T18:16:26+00:00 1a30d79c429cb1d4438d592db62cbe701e3b4360 A virtual server may have no SSL context if it does not have certificates defined, so we have to use config of the ngx_http_ssl_module from the SSL context in the certificate callback. To do so, it is now passed as the argument of the callback. The stream module doesn't really need any changes, but was modified as well to match http code. 
A virtual server may have no SSL context if it does not have certificates
defined, so we have to use config of the ngx_http_ssl_module from the
SSL context in the certificate callback.  To do so, it is now passed as
the argument of the callback.

The stream module doesn't really need any changes, but was modified as
well to match http code.
SSL: adjusted session id context with dynamic certificates. 2019-02-25T13:42:54+00:00 Maxim Dounin mdounin@mdounin.ru 2019-02-25T13:42:54+00:00 ecfab06cb20959219c9aadc2ef59507488e4fa99 Dynamic certificates re-introduce problem with incorrect session reuse (AKA "virtual host confusion", CVE-2014-3616), since there are no server certificates to generate session id context from. To prevent this, session id context is now generated from ssl_certificate directives as specified in the configuration. This approach prevents incorrect session reuse in most cases, while still allowing sharing sessions across multiple machines with ssl_session_ticket_key set as long as configurations are identical. 
Dynamic certificates re-introduce problem with incorrect session
reuse (AKA "virtual host confusion", CVE-2014-3616), since there are
no server certificates to generate session id context from.

To prevent this, session id context is now generated from ssl_certificate
directives as specified in the configuration.  This approach prevents
incorrect session reuse in most cases, while still allowing sharing
sessions across multiple machines with ssl_session_ticket_key set as
long as configurations are identical.
SSL: passwords support for dynamic certificate loading. 2019-02-25T13:42:23+00:00 Maxim Dounin mdounin@mdounin.ru 2019-02-25T13:42:23+00:00 8772a0e0892e632c37f3b92b1d287ed9b473cb13 Passwords have to be copied to the configuration pool to be used at runtime. Also, to prevent blocking on stdin (with "daemon off;") an empty password list is provided. To make things simpler, password handling was modified to allow an empty array (with 0 elements and elts set to NULL) as an equivalent of an array with 1 empty password. 
Passwords have to be copied to the configuration pool to be used
at runtime.  Also, to prevent blocking on stdin (with "daemon off;")
an empty password list is provided.

To make things simpler, password handling was modified to allow
an empty array (with 0 elements and elts set to NULL) as an equivalent
of an array with 1 empty password.
SSL: variables support in ssl_certificate and ssl_certificate_key. 2019-02-25T13:42:05+00:00 Maxim Dounin mdounin@mdounin.ru 2019-02-25T13:42:05+00:00 6e5a731edb6c1b8581c4b6fd2a2bf4ec0e768c24 To evaluate variables, a request is created in the certificate callback, and then freed. To do this without side effects on the stub_status counters and connection state, an additional function was introduced, ngx_http_alloc_request(). Only works with OpenSSL 1.0.2+, since there is no SSL_CTX_set_cert_cb() in older versions. 
To evaluate variables, a request is created in the certificate callback,
and then freed.  To do this without side effects on the stub_status
counters and connection state, an additional function was introduced,
ngx_http_alloc_request().

Only works with OpenSSL 1.0.2+, since there is no SSL_CTX_set_cert_cb()
in older versions.
Autoindex: fixed possible integer overflow on 32-bit systems. 2018-12-25T09:59:24+00:00 Vladimir Homutov vl@nginx.com 2018-12-25T09:59:24+00:00 910f330ad0caa49fe901e9426ef00d95d45ba32c 






Win32: removed NGX_DIR_MASK concept.
2018-12-24T18:07:05+00:00

Maxim Dounin
mdounin@mdounin.ru

2018-12-24T18:07:05+00:00

aa741f87273f2137d9a52080593c5fe6f1d1b0ea

Previous interface of ngx_open_dir() assumed that passed directory name
has a room for NGX_DIR_MASK at the end (NGX_DIR_MASK_LEN bytes).  While all
direct users of ngx_dir_open() followed this interface, this also implied
similar requirements for indirect uses - in particular, via ngx_walk_tree().

Currently none of ngx_walk_tree() uses provides appropriate space, and
fixing this does not look like a right way to go.  Instead, ngx_dir_open()
interface was changed to not require any additional space and use
appropriate allocations instead.





Previous interface of ngx_open_dir() assumed that passed directory name
has a room for NGX_DIR_MASK at the end (NGX_DIR_MASK_LEN bytes).  While all
direct users of ngx_dir_open() followed this interface, this also implied
similar requirements for indirect uses - in particular, via ngx_walk_tree().

Currently none of ngx_walk_tree() uses provides appropriate space, and
fixing this does not look like a right way to go.  Instead, ngx_dir_open()
interface was changed to not require any additional space and use
appropriate allocations instead.







Userid: using stub for AF_UNIX addresses.
2018-12-24T16:55:00+00:00

Sergey Kandaurov
pluknet@nginx.com

2018-12-24T16:55:00+00:00

499bb2655ee16e4659d571b413b1ea54fd19dcd1

Previously, AF_UNIX addresses misbehaved as AF_INET, which typically resulted
in $uid_set composed from the middle of sun_path.





Previously, AF_UNIX addresses misbehaved as AF_INET, which typically resulted
in $uid_set composed from the middle of sun_path.







Geo: fixed handling of AF_UNIX client addresses (ticket #1684).
2018-12-14T15:11:06+00:00

Maxim Dounin
mdounin@mdounin.ru

2018-12-14T15:11:06+00:00

ce4a23d144762cfa27c0e4b13f74cada2f7486a8

Previously, AF_UNIX client addresses were handled as AF_INET, leading
to unexpected results.





Previously, AF_UNIX client addresses were handled as AF_INET, leading
to unexpected results.







Mp4: fixed possible pointer overflow on 32-bit platforms.
2018-11-21T17:23:16+00:00

Maxim Dounin
mdounin@mdounin.ru

2018-11-21T17:23:16+00:00

f5708e66c7187c2489a7d0b39918f6d0fe4c6645

On 32-bit platforms mp4->buffer_pos might overflow when a large
enough (close to 4 gigabytes) atom is being skipped, resulting in
incorrect memory addesses being read further in the code.  In most
cases this results in harmless errors being logged, though may also
result in a segmentation fault if hitting unmapped pages.

To address this, ngx_mp4_atom_next() now only increments mp4->buffer_pos
up to mp4->buffer_end.  This ensures that overflow cannot happen.





On 32-bit platforms mp4->buffer_pos might overflow when a large
enough (close to 4 gigabytes) atom is being skipped, resulting in
incorrect memory addesses being read further in the code.  In most
cases this results in harmless errors being logged, though may also
result in a segmentation fault if hitting unmapped pages.

To address this, ngx_mp4_atom_next() now only increments mp4->buffer_pos
up to mp4->buffer_end.  This ensures that overflow cannot happen.







Limit req: "delay=" parameter.
2018-11-21T15:56:50+00:00

Maxim Dounin
mdounin@mdounin.ru

2018-11-21T15:56:50+00:00

aedc37fb3e7fb4550c17c4ec7aed3d33c73aab43

This parameter specifies an additional "soft" burst limit at which requests
become delayed (but not yet rejected as it happens if "burst=" limit is
exceeded).  Defaults to 0, i.e., all excess requests are delayed.

Originally inspired by Vladislav Shabanov
(http://mailman.nginx.org/pipermail/nginx-devel/2016-April/008126.html).
Further improved based on a patch by Peter Shchuchkin
(http://mailman.nginx.org/pipermail/nginx-devel/2018-October/011522.html).





This parameter specifies an additional "soft" burst limit at which requests
become delayed (but not yet rejected as it happens if "burst=" limit is
exceeded).  Defaults to 0, i.e., all excess requests are delayed.

Originally inspired by Vladislav Shabanov
(http://mailman.nginx.org/pipermail/nginx-devel/2016-April/008126.html).
Further improved based on a patch by Peter Shchuchkin
(http://mailman.nginx.org/pipermail/nginx-devel/2018-October/011522.html).