nginx.git/src/http/modules, branch release-1.17.6 nginx Limit conn: added shared context. 2019-11-18T16:50:59+00:00 Roman Arutyunyan arut@nginx.com 2019-11-18T16:50:59+00:00 5dc242e8f75eae718c1a941e663d7f483acf7c62 Previously only an rbtree was associated with a limit_conn. To make it possible to associate more data with a limit_conn, shared context is introduced similar to limit_req. Also, shared pool pointer is kept in a way similar to limit_req. 
Previously only an rbtree was associated with a limit_conn.  To make it
possible to associate more data with a limit_conn, shared context is introduced
similar to limit_req.  Also, shared pool pointer is kept in a way similar to
limit_req.
Limit conn: $limit_conn_status variable. 2019-11-18T14:48:32+00:00 Roman Arutyunyan arut@nginx.com 2019-11-18T14:48:32+00:00 3a55d60d2d22788cd35cdd3f207d01d55984c1cf The variable takes one of the values: PASSED, REJECTED or REJECTED_DRY_RUN. 
The variable takes one of the values: PASSED, REJECTED or REJECTED_DRY_RUN.
Limit conn: limit_conn_dry_run directive. 2019-11-19T08:30:41+00:00 Roman Arutyunyan arut@nginx.com 2019-11-19T08:30:41+00:00 b48c8718bf9b135368c8c9eb969db5dce6e0ed35 A new directive limit_conn_dry_run allows enabling the dry run mode. In this mode connections are not rejected, but reject status is logged as usual. 
A new directive limit_conn_dry_run allows enabling the dry run mode.  In this
mode connections are not rejected, but reject status is logged as usual.
Limit req: $limit_req_status variable. 2019-11-06T16:03:18+00:00 Roman Arutyunyan arut@nginx.com 2019-11-06T16:03:18+00:00 02ec15dc0d26df13a32074de030f8a57c162d593 The variable takes one of the values: PASSED, DELAYED, REJECTED, DELAYED_DRY_RUN or REJECTED_DRY_RUN. 
The variable takes one of the values: PASSED, DELAYED, REJECTED,
DELAYED_DRY_RUN or REJECTED_DRY_RUN.
Core: moved PROXY protocol fields out of ngx_connection_t. 2019-10-21T15:06:19+00:00 Roman Arutyunyan arut@nginx.com 2019-10-21T15:06:19+00:00 be932e81a1531a3ba032febad968fc2006c4fa48 Now a new structure ngx_proxy_protocol_t holds these fields. This allows to add more PROXY protocol fields in the future without modifying the connection structure. 
Now a new structure ngx_proxy_protocol_t holds these fields.  This allows
to add more PROXY protocol fields in the future without modifying the
connection structure.
SSL: fixed ssl_verify_client error message. 2019-09-16T16:26:42+00:00 Sergey Kandaurov pluknet@nginx.com 2019-09-16T16:26:42+00:00 555dc61b543bb1fbc50f45b58a422f519d7065ce 






Gzip: fixed "zero size buf" alerts after ac5a741d39cf.
2019-07-31T14:29:00+00:00

Maxim Dounin
mdounin@mdounin.ru

2019-07-31T14:29:00+00:00

39c40428f93db246a9a27e7a109413fae46e195d

After ac5a741d39cf it is now possible that after zstream.avail_out
reaches 0 and we allocate additional buffer, there will be no more data
to put into this buffer, triggering "zero size buf" alert.  Fix is to
reset b->temporary flag in this case.

Additionally, an optimization added to avoid allocating additional buffer
in this case, by checking if last deflate() call returned Z_STREAM_END.
Note that checking for Z_STREAM_END by itself is not enough to fix alerts,
as deflate() can return Z_STREAM_END without producing any output if the
buffer is smaller than gzip trailer.

Reported by Witold Filipczyk,
http://mailman.nginx.org/pipermail/nginx-devel/2019-July/012469.html.





After ac5a741d39cf it is now possible that after zstream.avail_out
reaches 0 and we allocate additional buffer, there will be no more data
to put into this buffer, triggering "zero size buf" alert.  Fix is to
reset b->temporary flag in this case.

Additionally, an optimization added to avoid allocating additional buffer
in this case, by checking if last deflate() call returned Z_STREAM_END.
Note that checking for Z_STREAM_END by itself is not enough to fix alerts,
as deflate() can return Z_STREAM_END without producing any output if the
buffer is smaller than gzip trailer.

Reported by Witold Filipczyk,
http://mailman.nginx.org/pipermail/nginx-devel/2019-July/012469.html.







Xslt: fixed potential buffer overflow with null character.
2019-07-18T15:27:54+00:00

Maxim Dounin
mdounin@mdounin.ru

2019-07-18T15:27:54+00:00

2187586207e1465d289ae64cedc829719a048a39

Due to shortcomings of the ccv->zero flag implementation in complex value
interface, length of the resulting string from ngx_http_complex_value()
might either not include terminating null character or include it,
so the only safe way to work with the result is to use it as a
null-terminated string.

Reported by Patrick Wollgast.





Due to shortcomings of the ccv->zero flag implementation in complex value
interface, length of the resulting string from ngx_http_complex_value()
might either not include terminating null character or include it,
so the only safe way to work with the result is to use it as a
null-terminated string.

Reported by Patrick Wollgast.







SSI: avoid potential buffer overflow.
2019-07-18T15:27:53+00:00

Maxim Dounin
mdounin@mdounin.ru

2019-07-18T15:27:53+00:00

ad42d70fed67c1e7098055fb25721ab904db2389

When "-" follows a parameter of maximum length, a single byte buffer
overflow happens, since the error branch does not check parameter length.
Fix is to avoid saving "-" to the parameter key, and instead use an error
message with "-" explicitly written.  The message is mostly identical to
one used in similar cases in the preequal state.

Reported by Patrick Wollgast.





When "-" follows a parameter of maximum length, a single byte buffer
overflow happens, since the error branch does not check parameter length.
Fix is to avoid saving "-" to the parameter key, and instead use an error
message with "-" explicitly written.  The message is mostly identical to
one used in similar cases in the preequal state.

Reported by Patrick Wollgast.







Perl: removed unused variable, forgotten in 975d7ab37b39.
2019-07-17T14:00:57+00:00

Maxim Dounin
mdounin@mdounin.ru

2019-07-17T14:00:57+00:00

676d1a0e947c8f39e2606997a3628ec6bdea177d