nginx.git/src/http/modules, branch release-1.18.0 nginx Auth basic: explicitly zero out password buffer. 2020-03-12T23:12:10+00:00 Ruslan Ermilov ru@nginx.com 2020-03-12T23:12:10+00:00 65ae8b315211988a821bdc32050768f41571ddae 






Mp4: fixed possible chunk offset overflow.
2020-02-26T12:10:46+00:00

Roman Arutyunyan
arut@nginx.com

2020-02-26T12:10:46+00:00

ba27037a498ed3839648d7a4097b01ed14949f18

In "co64" atom chunk start offset is a 64-bit unsigned integer.  When trimming
the "mdat" atom, chunk offsets are casted to off_t values which are typically
64-bit signed integers.  A specially crafted mp4 file with huge chunk offsets
may lead to off_t overflow and result in negative trim boundaries.

The consequences of the overflow are:
- Incorrect Content-Length header value in the response.
- Negative left boundary of the response file buffer holding the trimmed "mdat".
  This leads to pread()/sendfile() errors followed by closing the client
  connection.

On rare systems where off_t is a 32-bit integer, this scenario is also feasible
with the "stco" atom.

The fix is to add checks which make sure data chunks referenced by each track
are within the mp4 file boundaries.  Additionally a few more checks are added to
ensure mp4 file consistency and log errors.





In "co64" atom chunk start offset is a 64-bit unsigned integer.  When trimming
the "mdat" atom, chunk offsets are casted to off_t values which are typically
64-bit signed integers.  A specially crafted mp4 file with huge chunk offsets
may lead to off_t overflow and result in negative trim boundaries.

The consequences of the overflow are:
- Incorrect Content-Length header value in the response.
- Negative left boundary of the response file buffer holding the trimmed "mdat".
  This leads to pread()/sendfile() errors followed by closing the client
  connection.

On rare systems where off_t is a 32-bit integer, this scenario is also feasible
with the "stco" atom.

The fix is to add checks which make sure data chunks referenced by each track
are within the mp4 file boundaries.  Additionally a few more checks are added to
ensure mp4 file consistency and log errors.







gRPC: variables support in the "grpc_pass" directive.
2020-01-17T09:13:02+00:00

Vladimir Homutov
vl@nginx.com

2020-01-17T09:13:02+00:00

0e3b3b57357e37c80794fb0bcb4b929be96c9537












Dav: added checks for chunked to body presence conditions.
2019-12-23T17:39:27+00:00

Maxim Dounin
mdounin@mdounin.ru

2019-12-23T17:39:27+00:00

5e5fa2e9e57b713e445b1737005ff6a202bda8ad

These checks were missed when chunked support was introduced.  And also
added an explicit error message to ngx_http_dav_copy_move_handler()
(it was missed for some reason, in contrast to DELETE and MKCOL handlers).





These checks were missed when chunked support was introduced.  And also
added an explicit error message to ngx_http_dav_copy_move_handler()
(it was missed for some reason, in contrast to DELETE and MKCOL handlers).







Rewrite: disallow empty replacements.
2019-12-16T12:19:01+00:00

Ruslan Ermilov
ru@nginx.com

2019-12-16T12:19:01+00:00

4c031f9a6a879bcc4e86f5b7d4177996c9bca4cd

While empty replacements were caught at run-time, parsing code
of the "rewrite" directive expects that a minimum length of the
"replacement" argument is 1.





While empty replacements were caught at run-time, parsing code
of the "rewrite" directive expects that a minimum length of the
"replacement" argument is 1.







Fixed request finalization in ngx_http_index_handler().
2019-12-16T12:19:01+00:00

Ruslan Ermilov
ru@nginx.com

2019-12-16T12:19:01+00:00

48086f79ad7d9ac08943312f59215533330617d0

Returning 500 instead of NGX_ERROR is preferable here because
header has not yet been sent to the client.





Returning 500 instead of NGX_ERROR is preferable here because
header has not yet been sent to the client.







Saved some memory allocations.
2019-12-16T12:19:01+00:00

Ruslan Ermilov
ru@nginx.com

2019-12-16T12:19:01+00:00

be45a3aa590a5f7e64c6d55e8e0f78565adf4823

In configurations when "root" has variables, some modules unnecessarily
allocated memory for the "Location" header value.





In configurations when "root" has variables, some modules unnecessarily
allocated memory for the "Location" header value.







Dav: fixed Location in successful MKCOL response.
2019-12-16T12:19:01+00:00

Ruslan Ermilov
ru@nginx.com

2019-12-16T12:19:01+00:00

6dc0c880e5b94dc507795369196dec5c2f9d2cc2

Instead of reducing URI length to not include the terminating '\0'
character in 6ddaac3e0bf7, restore the terminating '/' character.





Instead of reducing URI length to not include the terminating '\0'
character in 6ddaac3e0bf7, restore the terminating '/' character.







Upstream keepalive: clearing of c->data in cached connections.
2019-12-05T16:38:06+00:00

Maxim Dounin
mdounin@mdounin.ru

2019-12-05T16:38:06+00:00

953f53921505a884f3912f2d8db5217a71c0479a

Previously, connections returned from keepalive cache had c->data
pointing to the keepalive cache item.  While this shouldn't be a problem
for correct code, as c->data is not expected to be used before it is set,
explicitly clearing it might help to avoid confusion.





Previously, connections returned from keepalive cache had c->data
pointing to the keepalive cache item.  While this shouldn't be a problem
for correct code, as c->data is not expected to be used before it is set,
explicitly clearing it might help to avoid confusion.







Limit conn: added shared context.
2019-11-18T16:50:59+00:00

Roman Arutyunyan
arut@nginx.com

2019-11-18T16:50:59+00:00

5dc242e8f75eae718c1a941e663d7f483acf7c62

Previously only an rbtree was associated with a limit_conn.  To make it
possible to associate more data with a limit_conn, shared context is introduced
similar to limit_req.  Also, shared pool pointer is kept in a way similar to
limit_req.





Previously only an rbtree was associated with a limit_conn.  To make it
possible to associate more data with a limit_conn, shared context is introduced
similar to limit_req.  Also, shared pool pointer is kept in a way similar to
limit_req.