nginx.git/src/http/modules, branch release-1.23.3

SSI: handling of subrequests from other modules (ticket #1263).

2022-11-21T14:01:34+00:00

As the SSI parser always uses the context from the main request for storing
variables and blocks, that context should always exist for subrequests using
SSI, even though the main request does not necessarily have SSI enabled.

However, `ngx_http_get_module_ctx(r->main, ...)` is getting NULL in such cases,
resulting in the worker crashing SIGSEGV when accessing its attributes.

This patch links the first initialized context to the main request, and
upgrades it only when main context is initialized.

Mp4: disabled duplicate atoms.

2022-10-19T07:53:17+00:00

Most atoms should not appear more than once in a container.  Previously,
this was not enforced by the module, which could result in worker process
crash, memory corruption and disclosure.

SSL: improved validation of ssl_session_cache and ssl_ocsp_cache.

2022-10-17T12:24:53+00:00

Now it properly detects invalid shared zone configuration with omitted size.
Previously it used to read outside of the buffer boundary.

Found with AddressSanitizer.

Range filter: clearing of pre-existing Content-Range headers.

2022-07-15T04:01:44+00:00

Some servers might emit Content-Range header on 200 responses, and this
does not seem to contradict RFC 9110: as per RFC 9110, the Content-Range
header has no meaning for status codes other than 206 and 416.  Previously
this resulted in duplicate Content-Range headers in nginx responses handled
by the range filter.  Fix is to clear pre-existing headers.

Upstream: optimized use of SSL contexts (ticket #1234).

2022-06-28T23:47:45+00:00

To ensure optimal use of memory, SSL contexts for proxying are now
inherited from previous levels as long as relevant proxy_ssl_* directives
are not redefined.

Further, when no proxy_ssl_* directives are redefined in a server block,
we now preserve plcf->upstream.ssl in the "http" section configuration
to inherit it to all servers.

Similar changes made in uwsgi, grpc, and stream proxy.

Perl: removed unused variables, forgotten in ef6a3a99a81a.

2022-06-14T06:39:58+00:00

Mp4: fixed potential overflow in ngx_http_mp4_crop_stts_data().

2022-06-07T18:58:52+00:00

Both "count" and "duration" variables are 32-bit, so their product might
potentially overflow.  It is used to reduce 64-bit start_time variable,
and with very large start_time this can result in incorrect seeking.

Found by Coverity (CID 1499904).

Upstream: handling of certificates specified as an empty string.

2022-06-07T16:08:57+00:00

Now, if the directive is given an empty string, such configuration cancels
loading of certificates, in particular, if they would be otherwise inherited
from the previous level.  This restores previous behaviour, before variables
support in certificates was introduced (3ab8e1e2f0f7).

Headers filter: improved memory allocation error handling.

2022-05-30T18:25:57+00:00

Auth request: multiple WWW-Authenticate headers (ticket #485).

2022-05-30T18:25:54+00:00

When using auth_request with an upstream server which returns 401
(Unauthorized), multiple WWW-Authenticate headers from the upstream server
response are now properly copied to the response.