nginx.git/src/http/modules, branch release-1.17.0 nginx Range filter: fixed duplicate last buffers. 2019-05-13T19:44:49+00:00 Maxim Dounin mdounin@mdounin.ru 2019-05-13T19:44:49+00:00 2015a548214b08be1a556f8b8c447dcb61356448 In ngx_http_range_singlepart_body() special buffers where passed unmodified, including ones after the end of the range. As such, if the last buffer of a response was sent separately as a special buffer, two buffers with b->last_buf set were present in the response. In particular, this might result in a duplicate final chunk when using chunked transfer encoding (normally range filter and chunked transfer encoding are not used together, but this may happen if there are trailers in the response). This also likely to cause problems in HTTP/2. Fix is to skip all special buffers after we've sent the last part of the range requested. These special buffers are not meaningful anyway, since we set b->last_buf in the buffer with the last part of the range, and everything is expected to be flushed due to it. Additionally, ngx_http_next_body_filter() is now called even if no buffers are to be passed to it. This ensures that various write events are properly propagated through the filter chain. In particular, this fixes test failures observed with the above change and aio enabled. 
In ngx_http_range_singlepart_body() special buffers where passed
unmodified, including ones after the end of the range.  As such,
if the last buffer of a response was sent separately as a special
buffer, two buffers with b->last_buf set were present in the response.

In particular, this might result in a duplicate final chunk when using
chunked transfer encoding (normally range filter and chunked transfer
encoding are not used together, but this may happen if there are trailers
in the response).  This also likely to cause problems in HTTP/2.

Fix is to skip all special buffers after we've sent the last part of
the range requested.  These special buffers are not meaningful anyway,
since we set b->last_buf in the buffer with the last part of the range,
and everything is expected to be flushed due to it.

Additionally, ngx_http_next_body_filter() is now called even
if no buffers are to be passed to it.  This ensures that various
write events are properly propagated through the filter chain.  In
particular, this fixes test failures observed with the above change
and aio enabled.
Range filter: fixed loss of incoming chain links. 2019-05-13T19:44:02+00:00 Maxim Dounin mdounin@mdounin.ru 2019-05-13T19:44:02+00:00 ce0f35317e16c85c1ccae8f3a0a1d6f2426b2e78 Filters are not allowed to change incoming chain links, and should allocate their own links if any modifications are needed. Nevertheless ngx_http_range_singlepart_body() modified incoming chain links in some cases, notably at the end of the requested range. No problems caused by this are currently known, mostly because of limited number of possible modifications and the position of the range body filter in the filter chain. Though this behaviour is clearly incorrect and tests demonstrate that it can at least cause some proxy buffers being lost when using proxy_force_ranges, leading to less effective handling of responses. Fix is to always allocate new chain links in ngx_http_range_singlepart_body(). Links are explicitly freed to ensure constant memory usage with long-lived requests. 
Filters are not allowed to change incoming chain links, and should allocate
their own links if any modifications are needed.  Nevertheless
ngx_http_range_singlepart_body() modified incoming chain links in some
cases, notably at the end of the requested range.

No problems caused by this are currently known, mostly because of
limited number of possible modifications and the position of the range
body filter in the filter chain.  Though this behaviour is clearly incorrect
and tests demonstrate that it can at least cause some proxy buffers being
lost when using proxy_force_ranges, leading to less effective handling
of responses.

Fix is to always allocate new chain links in ngx_http_range_singlepart_body().
Links are explicitly freed to ensure constant memory usage with long-lived
requests.
SSL: fixed potential leak on memory allocation errors. 2019-03-03T13:48:39+00:00 Maxim Dounin mdounin@mdounin.ru 2019-03-03T13:48:39+00:00 fe43346dc3151e80dae0acd751f0a94314dcb91c If ngx_pool_cleanup_add() fails, we have to clean just created SSL context manually, thus appropriate call added. Additionally, ngx_pool_cleanup_add() moved closer to ngx_ssl_create() in the ngx_http_ssl_module, to make sure there are no leaks due to intermediate code. 
If ngx_pool_cleanup_add() fails, we have to clean just created SSL context
manually, thus appropriate call added.

Additionally, ngx_pool_cleanup_add() moved closer to ngx_ssl_create() in
the ngx_http_ssl_module, to make sure there are no leaks due to intermediate
code.
SSL: fixed possible segfault with dynamic certificates. 2019-02-25T18:16:26+00:00 Maxim Dounin mdounin@mdounin.ru 2019-02-25T18:16:26+00:00 1a30d79c429cb1d4438d592db62cbe701e3b4360 A virtual server may have no SSL context if it does not have certificates defined, so we have to use config of the ngx_http_ssl_module from the SSL context in the certificate callback. To do so, it is now passed as the argument of the callback. The stream module doesn't really need any changes, but was modified as well to match http code. 
A virtual server may have no SSL context if it does not have certificates
defined, so we have to use config of the ngx_http_ssl_module from the
SSL context in the certificate callback.  To do so, it is now passed as
the argument of the callback.

The stream module doesn't really need any changes, but was modified as
well to match http code.
SSL: adjusted session id context with dynamic certificates. 2019-02-25T13:42:54+00:00 Maxim Dounin mdounin@mdounin.ru 2019-02-25T13:42:54+00:00 ecfab06cb20959219c9aadc2ef59507488e4fa99 Dynamic certificates re-introduce problem with incorrect session reuse (AKA "virtual host confusion", CVE-2014-3616), since there are no server certificates to generate session id context from. To prevent this, session id context is now generated from ssl_certificate directives as specified in the configuration. This approach prevents incorrect session reuse in most cases, while still allowing sharing sessions across multiple machines with ssl_session_ticket_key set as long as configurations are identical. 
Dynamic certificates re-introduce problem with incorrect session
reuse (AKA "virtual host confusion", CVE-2014-3616), since there are
no server certificates to generate session id context from.

To prevent this, session id context is now generated from ssl_certificate
directives as specified in the configuration.  This approach prevents
incorrect session reuse in most cases, while still allowing sharing
sessions across multiple machines with ssl_session_ticket_key set as
long as configurations are identical.
SSL: passwords support for dynamic certificate loading. 2019-02-25T13:42:23+00:00 Maxim Dounin mdounin@mdounin.ru 2019-02-25T13:42:23+00:00 8772a0e0892e632c37f3b92b1d287ed9b473cb13 Passwords have to be copied to the configuration pool to be used at runtime. Also, to prevent blocking on stdin (with "daemon off;") an empty password list is provided. To make things simpler, password handling was modified to allow an empty array (with 0 elements and elts set to NULL) as an equivalent of an array with 1 empty password. 
Passwords have to be copied to the configuration pool to be used
at runtime.  Also, to prevent blocking on stdin (with "daemon off;")
an empty password list is provided.

To make things simpler, password handling was modified to allow
an empty array (with 0 elements and elts set to NULL) as an equivalent
of an array with 1 empty password.
SSL: variables support in ssl_certificate and ssl_certificate_key. 2019-02-25T13:42:05+00:00 Maxim Dounin mdounin@mdounin.ru 2019-02-25T13:42:05+00:00 6e5a731edb6c1b8581c4b6fd2a2bf4ec0e768c24 To evaluate variables, a request is created in the certificate callback, and then freed. To do this without side effects on the stub_status counters and connection state, an additional function was introduced, ngx_http_alloc_request(). Only works with OpenSSL 1.0.2+, since there is no SSL_CTX_set_cert_cb() in older versions. 
To evaluate variables, a request is created in the certificate callback,
and then freed.  To do this without side effects on the stub_status
counters and connection state, an additional function was introduced,
ngx_http_alloc_request().

Only works with OpenSSL 1.0.2+, since there is no SSL_CTX_set_cert_cb()
in older versions.
Autoindex: fixed possible integer overflow on 32-bit systems. 2018-12-25T09:59:24+00:00 Vladimir Homutov vl@nginx.com 2018-12-25T09:59:24+00:00 910f330ad0caa49fe901e9426ef00d95d45ba32c 






Win32: removed NGX_DIR_MASK concept.
2018-12-24T18:07:05+00:00

Maxim Dounin
mdounin@mdounin.ru

2018-12-24T18:07:05+00:00

aa741f87273f2137d9a52080593c5fe6f1d1b0ea

Previous interface of ngx_open_dir() assumed that passed directory name
has a room for NGX_DIR_MASK at the end (NGX_DIR_MASK_LEN bytes).  While all
direct users of ngx_dir_open() followed this interface, this also implied
similar requirements for indirect uses - in particular, via ngx_walk_tree().

Currently none of ngx_walk_tree() uses provides appropriate space, and
fixing this does not look like a right way to go.  Instead, ngx_dir_open()
interface was changed to not require any additional space and use
appropriate allocations instead.





Previous interface of ngx_open_dir() assumed that passed directory name
has a room for NGX_DIR_MASK at the end (NGX_DIR_MASK_LEN bytes).  While all
direct users of ngx_dir_open() followed this interface, this also implied
similar requirements for indirect uses - in particular, via ngx_walk_tree().

Currently none of ngx_walk_tree() uses provides appropriate space, and
fixing this does not look like a right way to go.  Instead, ngx_dir_open()
interface was changed to not require any additional space and use
appropriate allocations instead.







Userid: using stub for AF_UNIX addresses.
2018-12-24T16:55:00+00:00

Sergey Kandaurov
pluknet@nginx.com

2018-12-24T16:55:00+00:00

499bb2655ee16e4659d571b413b1ea54fd19dcd1

Previously, AF_UNIX addresses misbehaved as AF_INET, which typically resulted
in $uid_set composed from the middle of sun_path.





Previously, AF_UNIX addresses misbehaved as AF_INET, which typically resulted
in $uid_set composed from the middle of sun_path.