nginx.git/src/http/modules, branch release-1.25.5 nginx Rewrite: fixed "return" directive without response text. 2024-02-26T20:00:28+00:00 Piotr Sikora piotr@aviatrix.com 2024-02-26T20:00:28+00:00 2f9e8431e696b27ffcd69e455a1ee006ca14f8e3 Previously, the response text wasn't initialized and the rewrite module was sending response body set to NULL. Found with UndefinedBehaviorSanitizer (pointer-overflow). Signed-off-by: Piotr Sikora <piotr@aviatrix.com> 
Previously, the response text wasn't initialized and the rewrite module
was sending response body set to NULL.

Found with UndefinedBehaviorSanitizer (pointer-overflow).

Signed-off-by: Piotr Sikora <piotr@aviatrix.com>
Fixed undefined behaviour with IPv4-mapped IPv6 addresses. 2024-03-18T13:14:30+00:00 Sergey Kandaurov pluknet@nginx.com 2024-03-18T13:14:30+00:00 3d5a356abb4f06b0f103290bd31a4c146233956b Previously, it could result when left-shifting signed integer due to implicit integer promotion, such that the most significant bit appeared on the sign bit. In practice, though, this results in the same left value as with an explicit cast, at least on known compilers, such as GCC and Clang. The reason is that in_addr_t, which is equivalent to uint32_t and same as "unsigned int" in ILP32 and LP64 data type models, has the same type width as the intermediate after integer promotion, so there's no side effects such as sign-extension. This explains why adding an explicit cast does not change object files in practice. Found with UndefinedBehaviorSanitizer (shift). Based on a patch by Piotr Sikora. 
Previously, it could result when left-shifting signed integer due to implicit
integer promotion, such that the most significant bit appeared on the sign bit.

In practice, though, this results in the same left value as with an explicit
cast, at least on known compilers, such as GCC and Clang.  The reason is that
in_addr_t, which is equivalent to uint32_t and same as "unsigned int" in ILP32
and LP64 data type models, has the same type width as the intermediate after
integer promotion, so there's no side effects such as sign-extension.  This
explains why adding an explicit cast does not change object files in practice.

Found with UndefinedBehaviorSanitizer (shift).

Based on a patch by Piotr Sikora.
Geo: fixed uninitialized memory access. 2024-03-14T14:37:20+00:00 Piotr Sikora piotr@aviatrix.com 2024-03-14T14:37:20+00:00 d3d64cacb3ce96477d354fe17d3b5c6e348f933a While copying ngx_http_variable_value_t structures to geo binary base in ngx_http_geo_copy_values(), and similarly in the stream module, uninitialized parts of these structures are copied as well. These include the "escape" field and possible holes. Calculating crc32 of this data triggers uninitialized memory access. Found with MemorySanitizer. Signed-off-by: Piotr Sikora <piotr@aviatrix.com> 
While copying ngx_http_variable_value_t structures to geo binary base
in ngx_http_geo_copy_values(), and similarly in the stream module,
uninitialized parts of these structures are copied as well.  These
include the "escape" field and possible holes.  Calculating crc32 of
this data triggers uninitialized memory access.

Found with MemorySanitizer.

Signed-off-by: Piotr Sikora <piotr@aviatrix.com>
Overhauled some diagnostic messages akin to 1b05b9bbcebf. 2024-03-22T10:51:14+00:00 Sergey Kandaurov pluknet@nginx.com 2024-03-22T10:51:14+00:00 ae1948aa40c48a97f2e171acb84eb04bfcbe1307 






Upstream: fixed handling of Status headers without reason-phrase.
2023-08-31T19:59:17+00:00

Maxim Dounin
mdounin@mdounin.ru

2023-08-31T19:59:17+00:00

fa46a5719924a5a4c48c515a903e0c46a4d98bcf

Status header with an empty reason-phrase, such as "Status: 404 ", is
valid per CGI specification, but looses the trailing space during parsing.
Currently, this results in "HTTP/1.1 404" HTTP status line in the response,
which violates HTTP specification due to missing trailing space.

With this change, only the status code is used from such short Status
header lines, so nginx will generate status line itself, with the space
and appropriate reason phrase if available.

Reported at:
https://mailman.nginx.org/pipermail/nginx/2023-August/EX7G4JUUHJWJE5UOAZMO5UD6OJILCYGX.html





Status header with an empty reason-phrase, such as "Status: 404 ", is
valid per CGI specification, but looses the trailing space during parsing.
Currently, this results in "HTTP/1.1 404" HTTP status line in the response,
which violates HTTP specification due to missing trailing space.

With this change, only the status code is used from such short Status
header lines, so nginx will generate status line itself, with the space
and appropriate reason phrase if available.

Reported at:
https://mailman.nginx.org/pipermail/nginx/2023-August/EX7G4JUUHJWJE5UOAZMO5UD6OJILCYGX.html







SSL: removed the "ssl" directive.
2023-06-08T10:49:27+00:00

Roman Arutyunyan
arut@nginx.com

2023-06-08T10:49:27+00:00

d32f66f1e8dc81a0edbadbacf74191684a653d09

It has been deprecated since 7270:46c0c7ef4913 (1.15.0) in favour of
the "ssl" parameter of the "listen" directive, which has been available
since 2224:109849282793 (0.7.14).





It has been deprecated since 7270:46c0c7ef4913 (1.15.0) in favour of
the "ssl" parameter of the "listen" directive, which has been available
since 2224:109849282793 (0.7.14).







HTTP/2: "http2" directive.
2023-05-16T12:30:08+00:00

Roman Arutyunyan
arut@nginx.com

2023-05-16T12:30:08+00:00

aefd862ab197c3ab49001fcf69be478aab5b0f4e

The directive enables HTTP/2 in the current server.  The previous way to
enable HTTP/2 via "listen ... http2" is now deprecated.  The new approach
allows to share HTTP/2 and HTTP/0.9-1.1 on the same port.

For SSL connections, HTTP/2 is now selected by ALPN callback based on whether
the protocol is enabled in the virtual server chosen by SNI.  This however only
works since OpenSSL 1.0.2h, where ALPN callback is invoked after SNI callback.
For older versions of OpenSSL, HTTP/2 is enabled based on the default virtual
server configuration.

For plain TCP connections, HTTP/2 is now auto-detected by HTTP/2 preface, if
HTTP/2 is enabled in the default virtual server.  If preface is not matched,
HTTP/0.9-1.1 is assumed.





The directive enables HTTP/2 in the current server.  The previous way to
enable HTTP/2 via "listen ... http2" is now deprecated.  The new approach
allows to share HTTP/2 and HTTP/0.9-1.1 on the same port.

For SSL connections, HTTP/2 is now selected by ALPN callback based on whether
the protocol is enabled in the virtual server chosen by SNI.  This however only
works since OpenSSL 1.0.2h, where ALPN callback is invoked after SNI callback.
For older versions of OpenSSL, HTTP/2 is enabled based on the default virtual
server configuration.

For plain TCP connections, HTTP/2 is now auto-detected by HTTP/2 preface, if
HTTP/2 is enabled in the default virtual server.  If preface is not matched,
HTTP/0.9-1.1 is assumed.







HTTP/3: removed "http3" parameter of "listen" directive.
2023-05-11T09:22:10+00:00

Roman Arutyunyan
arut@nginx.com

2023-05-11T09:22:10+00:00

2ce3eeeeb76318e414b62d399da70872d2de23d8

The parameter has been deprecated since c851a2ed5ce8.





The parameter has been deprecated since c851a2ed5ce8.







Merged with the default branch.
2023-03-29T07:14:25+00:00

Sergey Kandaurov
pluknet@nginx.com

2023-03-29T07:14:25+00:00

e8fbc967470b39513248cd961ccccf7a032831ea












Gzip: compatibility with recent zlib-ng versions.
2023-03-27T18:25:05+00:00

Maxim Dounin
mdounin@mdounin.ru

2023-03-27T18:25:05+00:00

87471918b20957694cb7a7503d2f868c8813c68b

It now uses custom alloc_aligned() wrapper for all allocations,
therefore all allocations are larger than expected by (64 + sizeof(void*)).
Further, they are seen as allocations of 1 element.  Relevant calculations
were adjusted to reflect this, and state allocation is now protected
with a flag to avoid misinterpreting other allocations as the zlib
deflate_state allocation.

Further, it no longer forces window bits to 13 on compression level 1,
so the comment was adjusted to reflect this.





It now uses custom alloc_aligned() wrapper for all allocations,
therefore all allocations are larger than expected by (64 + sizeof(void*)).
Further, they are seen as allocations of 1 element.  Relevant calculations
were adjusted to reflect this, and state allocation is now protected
with a flag to avoid misinterpreting other allocations as the zlib
deflate_state allocation.

Further, it no longer forces window bits to 13 on compression level 1,
so the comment was adjusted to reflect this.