nginx.git/src/http/modules, branch release-1.30.0 nginx Fixed the "include" directive inside the "geo" block. 2026-03-24T18:20:16+00:00 Eugene Grebenschikov e.grebenshchikov@f5.com 2026-03-12T00:57:05+00:00 0de6e878ba43b55dd23b437c5be1819a55f63ec4 The "include" directive should be able to include multiple files if given a filename mask. Completes remaining changes introduced in da4ffd8. Closes: https://github.com/nginx/nginx/issues/1165 
The "include" directive should be able to include multiple files if
given a filename mask.

Completes remaining changes introduced in da4ffd8.

Closes: https://github.com/nginx/nginx/issues/1165
Dav: destination length validation for COPY and MOVE. 2026-03-24T14:45:25+00:00 Roman Arutyunyan arut@nginx.com 2026-03-16T16:13:03+00:00 9739e755b8dddba82e65ca2a08d079f4c9826b75 Previously, when alias was used in a location with Dav COPY or MOVE enabled, and the destination URI was shorter than the alias, integer underflow could happen in ngx_http_map_uri_to_path(), which could result in heap buffer overwrite, followed by a possible segfault. With some implementations of memcpy(), the segfault could be avoided and the overwrite could result in a change of the source or destination file names to be outside of the location root. Reported by Calif.io in collaboration with Claude and Anthropic Research. 
Previously, when alias was used in a location with Dav COPY or MOVE
enabled, and the destination URI was shorter than the alias, integer
underflow could happen in ngx_http_map_uri_to_path(), which could
result in heap buffer overwrite, followed by a possible segfault.
With some implementations of memcpy(), the segfault could be avoided
and the overwrite could result in a change of the source or destination
file names to be outside of the location root.

Reported by Calif.io in collaboration with Claude and Anthropic Research.
Mp4: fixed possible integer overflow on 32-bit platforms. 2026-03-24T14:44:57+00:00 Roman Arutyunyan arut@nginx.com 2026-03-02T17:12:34+00:00 3568812cf98dfd7661cd7516ecf9b398c134ab3c Previously, a 32-bit overflow could happen while validating atom entries count. This allowed processing of an invalid atom with entrires beyond its boundaries with reads and writes outside of the allocated mp4 buffer. Reported by Prabhav Srinath (sprabhav7). 
Previously, a 32-bit overflow could happen while validating atom entries
count.  This allowed processing of an invalid atom with entrires beyond
its boundaries with reads and writes outside of the allocated mp4 buffer.

Reported by Prabhav Srinath (sprabhav7).
Mp4: avoid zero size buffers in output. 2026-03-24T14:12:29+00:00 Roman Arutyunyan arut@nginx.com 2026-02-21T08:04:36+00:00 7725c372c2fe11ff908b1d6138be219ad694c42f Previously, data validation checks did not cover the cases when the output contained empty buffers. Such buffers are considered illegal and produce "zero size buf in output" alerts. The change rejects the mp4 files which produce such alerts. Also, the change fixes possible buffer overread and overwrite that could happen while processing empty stco and co64 atoms, as reported by Pavel Kohout (Aisle Research) and Tim Becker. 
Previously, data validation checks did not cover the cases when the output
contained empty buffers.  Such buffers are considered illegal and produce
"zero size buf in output" alerts.  The change rejects the mp4 files which
produce such alerts.

Also, the change fixes possible buffer overread and overwrite that could
happen while processing empty stco and co64 atoms, as reported by
Pavel Kohout (Aisle Research) and Tim Becker.
Upstream keepalive: fixed parameter parsing. 2026-03-24T11:38:16+00:00 Roman Arutyunyan arut@nginx.com 2026-03-24T11:12:05+00:00 d787755d50c96b8f0fc1c5c2df62e8ea3bd9031f 






Proxy: enabled HTTP/1.1 by default for upstream connections.
2026-03-24T10:28:52+00:00

Roman Semenov
r.semenov@f5.com

2026-01-27T20:37:11+00:00

6bb27a63129968da17b21589b73aa4f47b8445ec

Updates the proxy module to use HTTP/1.1 as the default protocol when
communicating with upstream servers. This change unlocks features
such as persistent connections and chunked transfer encoding. Configurations
that require HTTP/1.0 can still override the protocol explicitly.





Updates the proxy module to use HTTP/1.1 as the default protocol when
communicating with upstream servers. This change unlocks features
such as persistent connections and chunked transfer encoding. Configurations
that require HTTP/1.0 can still override the protocol explicitly.







Upstream: enabled keepalive by default for explicit upstreams.
2026-03-24T10:28:52+00:00

Roman Semenov
r.semenov@f5.com

2026-03-23T18:03:26+00:00

4fbe4b62746f67d4348212c089b745bd10082964

Keepalive is now automatically enabled in the "local" mode for upstreams
defined in configuration files. Cached keepalive connections are no longer
shared between different locations referencing the same explicit upstream
unless keepalive is explicitly configured without the "local" parameter.

To disable keepalive entirely, use keepalive 0; inside the upstream block.
To allow sharing cached connections between locations, configure
keepalive <max_cached>; without the "local" parameter.





Keepalive is now automatically enabled in the "local" mode for upstreams
defined in configuration files. Cached keepalive connections are no longer
shared between different locations referencing the same explicit upstream
unless keepalive is explicitly configured without the "local" parameter.

To disable keepalive entirely, use keepalive 0; inside the upstream block.
To allow sharing cached connections between locations, configure
keepalive <max_cached>; without the "local" parameter.







Upstream keepalive: distinguish cached connections by location.
2026-03-24T10:28:52+00:00

Roman Semenov
r.semenov@f5.com

2026-03-19T19:47:14+00:00

c5d36eac33d7c2198240111819b2a1c9fcb593a4

The new "local" parameter prevents sharing cached keepalive connections
between location blocks. Connections are now reused only within the same
location.





The new "local" parameter prevents sharing cached keepalive connections
between location blocks. Connections are now reused only within the same
location.







gRPC: reset buffer chains on upstream reinit.
2026-03-16T07:38:06+00:00

David Carlier
devnexen@gmail.com

2026-02-20T05:08:09+00:00

a29476464cc86092135401bdcad91e4d38ac6b6d

Previously, ctx->out was not cleared in ngx_http_grpc_reinit_request(),
which could cause queued HTTP/2 control frames (SETTINGS ACK, PING ACK,
WINDOW_UPDATE) to be sent on next upstream.

Additionally, ctx->in and ctx->busy needs to be cleared to avoid similar
problems with buffered request body fixed in cd12dc4f1.





Previously, ctx->out was not cleared in ngx_http_grpc_reinit_request(),
which could cause queued HTTP/2 control frames (SETTINGS ACK, PING ACK,
WINDOW_UPDATE) to be sent on next upstream.

Additionally, ctx->in and ctx->busy needs to be cleared to avoid similar
problems with buffered request body fixed in cd12dc4f1.







Proxy: reset pending control frames on HTTP/2 upstream reinit.
2026-03-16T07:37:33+00:00

David Carlier
devnexen@gmail.com

2026-02-19T07:26:42+00:00

bcd1a01d3bf54fb20de23356df0a23aa16487fd5

Previously, ctx->out was not cleared in ngx_http_proxy_v2_reinit_request(),
which could cause stale HTTP/2 control frames (SETTINGS ACK, PING ACK,
WINDOW_UPDATE) queued for the old upstream connection to be sent to a new
upstream connection during a retry.





Previously, ctx->out was not cleared in ngx_http_proxy_v2_reinit_request(),
which could cause stale HTTP/2 control frames (SETTINGS ACK, PING ACK,
WINDOW_UPDATE) queued for the old upstream connection to be sent to a new
upstream connection during a retry.