nginx.git/src/http/modules, branch release-1.23.4 nginx Gzip: compatibility with recent zlib-ng versions. 2023-03-27T18:25:05+00:00 Maxim Dounin mdounin@mdounin.ru 2023-03-27T18:25:05+00:00 87471918b20957694cb7a7503d2f868c8813c68b It now uses custom alloc_aligned() wrapper for all allocations, therefore all allocations are larger than expected by (64 + sizeof(void*)). Further, they are seen as allocations of 1 element. Relevant calculations were adjusted to reflect this, and state allocation is now protected with a flag to avoid misinterpreting other allocations as the zlib deflate_state allocation. Further, it no longer forces window bits to 13 on compression level 1, so the comment was adjusted to reflect this. 
It now uses custom alloc_aligned() wrapper for all allocations,
therefore all allocations are larger than expected by (64 + sizeof(void*)).
Further, they are seen as allocations of 1 element.  Relevant calculations
were adjusted to reflect this, and state allocation is now protected
with a flag to avoid misinterpreting other allocations as the zlib
deflate_state allocation.

Further, it no longer forces window bits to 13 on compression level 1,
so the comment was adjusted to reflect this.
SSL: enabled TLSv1.3 by default. 2023-03-23T23:57:43+00:00 Maxim Dounin mdounin@mdounin.ru 2023-03-23T23:57:43+00:00 7b24b93d67daa9c16d665129fd5d3e7dbc583e4f 






Fixed "zero size buf" alerts with subrequests.
2023-01-28T02:23:33+00:00

Maxim Dounin
mdounin@mdounin.ru

2023-01-28T02:23:33+00:00

384a8d8dfbf817b98715e8ed5ec7bf3cb545d501

Since 4611:2b6cb7528409 responses from the gzip static, flv, and mp4 modules
can be used with subrequests, though empty files were not properly handled.
Empty gzipped, flv, and mp4 files thus resulted in "zero size buf in output"
alerts.  While valid corresponding files are not expected to be empty, such
files shouldn't result in alerts.

Fix is to set b->sync on such empty subrequest responses, similarly to what
ngx_http_send_special() does.

Additionally, the static module, the ngx_http_send_response() function, and
file cache are modified to do the same instead of not sending the response
body at all in such cases, since not sending the response body at all is
believed to be at least questionable, and might break various filters
which do not expect such behaviour.





Since 4611:2b6cb7528409 responses from the gzip static, flv, and mp4 modules
can be used with subrequests, though empty files were not properly handled.
Empty gzipped, flv, and mp4 files thus resulted in "zero size buf in output"
alerts.  While valid corresponding files are not expected to be empty, such
files shouldn't result in alerts.

Fix is to set b->sync on such empty subrequest responses, similarly to what
ngx_http_send_special() does.

Additionally, the static module, the ngx_http_send_response() function, and
file cache are modified to do the same instead of not sending the response
body at all in such cases, since not sending the response body at all is
believed to be at least questionable, and might break various filters
which do not expect such behaviour.







Style.
2023-01-28T02:20:23+00:00

Maxim Dounin
mdounin@mdounin.ru

2023-01-28T02:20:23+00:00

856a01860e676bd5fe88d0f7ad7189e47cce04d9












Gzip static: ranges support (ticket #2349).
2023-01-24T00:01:51+00:00

Maxim Dounin
mdounin@mdounin.ru

2023-01-24T00:01:51+00:00

5c18b5bc3fe14aac969d1fb1e383bc696932e1f5

In contrast to on-the-fly gzipping with gzip filter, static gzipped
representation as returned by gzip_static is persistent, and therefore
the same binary representation is available for future requests, making
it possible to use range requests.

Further, if a gzipped representation is re-generated with different
compression settings, it is expected to result in different ETag and
different size reported in the Content-Range header, making it possible
to safely use range requests anyway.

As such, ranges are now allowed for files returned by gzip_static.





In contrast to on-the-fly gzipping with gzip filter, static gzipped
representation as returned by gzip_static is persistent, and therefore
the same binary representation is available for future requests, making
it possible to use range requests.

Further, if a gzipped representation is re-generated with different
compression settings, it is expected to result in different ETag and
different size reported in the Content-Range header, making it possible
to safely use range requests anyway.

As such, ranges are now allowed for files returned by gzip_static.







SSI: handling of subrequests from other modules (ticket #1263).
2022-11-21T14:01:34+00:00

Ciel Zhao
i@ciel.dev

2022-11-21T14:01:34+00:00

053e40e5d45ac76ea29b803840222461f501f1e3

As the SSI parser always uses the context from the main request for storing
variables and blocks, that context should always exist for subrequests using
SSI, even though the main request does not necessarily have SSI enabled.

However, `ngx_http_get_module_ctx(r->main, ...)` is getting NULL in such cases,
resulting in the worker crashing SIGSEGV when accessing its attributes.

This patch links the first initialized context to the main request, and
upgrades it only when main context is initialized.





As the SSI parser always uses the context from the main request for storing
variables and blocks, that context should always exist for subrequests using
SSI, even though the main request does not necessarily have SSI enabled.

However, `ngx_http_get_module_ctx(r->main, ...)` is getting NULL in such cases,
resulting in the worker crashing SIGSEGV when accessing its attributes.

This patch links the first initialized context to the main request, and
upgrades it only when main context is initialized.







Mp4: disabled duplicate atoms.
2022-10-19T07:53:17+00:00

Roman Arutyunyan
arut@nginx.com

2022-10-19T07:53:17+00:00

0d23105373e6d8a720b9826079c077b9b4be919d

Most atoms should not appear more than once in a container.  Previously,
this was not enforced by the module, which could result in worker process
crash, memory corruption and disclosure.





Most atoms should not appear more than once in a container.  Previously,
this was not enforced by the module, which could result in worker process
crash, memory corruption and disclosure.







SSL: improved validation of ssl_session_cache and ssl_ocsp_cache.
2022-10-17T12:24:53+00:00

Sergey Kandaurov
pluknet@nginx.com

2022-10-17T12:24:53+00:00

35fce42269bf1c84eadef6660021cefa08a960d7

Now it properly detects invalid shared zone configuration with omitted size.
Previously it used to read outside of the buffer boundary.

Found with AddressSanitizer.





Now it properly detects invalid shared zone configuration with omitted size.
Previously it used to read outside of the buffer boundary.

Found with AddressSanitizer.







Range filter: clearing of pre-existing Content-Range headers.
2022-07-15T04:01:44+00:00

Maxim Dounin
mdounin@mdounin.ru

2022-07-15T04:01:44+00:00

f35475c083d4cfe56647b66387b60c55e25c27d0

Some servers might emit Content-Range header on 200 responses, and this
does not seem to contradict RFC 9110: as per RFC 9110, the Content-Range
header has no meaning for status codes other than 206 and 416.  Previously
this resulted in duplicate Content-Range headers in nginx responses handled
by the range filter.  Fix is to clear pre-existing headers.





Some servers might emit Content-Range header on 200 responses, and this
does not seem to contradict RFC 9110: as per RFC 9110, the Content-Range
header has no meaning for status codes other than 206 and 416.  Previously
this resulted in duplicate Content-Range headers in nginx responses handled
by the range filter.  Fix is to clear pre-existing headers.







Upstream: optimized use of SSL contexts (ticket #1234).
2022-06-28T23:47:45+00:00

Maxim Dounin
mdounin@mdounin.ru

2022-06-28T23:47:45+00:00

d791b4aab418b0cbadbaf079fbb9360269d97941

To ensure optimal use of memory, SSL contexts for proxying are now
inherited from previous levels as long as relevant proxy_ssl_* directives
are not redefined.

Further, when no proxy_ssl_* directives are redefined in a server block,
we now preserve plcf->upstream.ssl in the "http" section configuration
to inherit it to all servers.

Similar changes made in uwsgi, grpc, and stream proxy.





To ensure optimal use of memory, SSL contexts for proxying are now
inherited from previous levels as long as relevant proxy_ssl_* directives
are not redefined.

Further, when no proxy_ssl_* directives are redefined in a server block,
we now preserve plcf->upstream.ssl in the "http" section configuration
to inherit it to all servers.

Similar changes made in uwsgi, grpc, and stream proxy.