nginx.git/src/http/ngx_http_variables.c, branch release-1.28.2 nginx Variables: avoid possible buffer overrun with some "$sent_http_*". 2023-05-01T15:16:05+00:00 Sergey Kandaurov pluknet@nginx.com 2023-05-01T15:16:05+00:00 1a8ef991d92d22eb8aded7f49595dd31a639e8a4 The existing logic to evaluate multi header "$sent_http_*" variables, such as $sent_http_cache_control, as previously introduced in 1.23.0, doesn't take into account that one or more elements can be cleared, yet still present in a linked list, pointed to by the next field. Such elements don't contribute to the resulting variable length, an attempt to append a separator for them ends up in out of bounds write. This is not possible with standard modules, though at least one third party module is known to override multi header values this way, so it makes sense to harden the logic. The fix restores a generic boundary check. 
The existing logic to evaluate multi header "$sent_http_*" variables,
such as $sent_http_cache_control, as previously introduced in 1.23.0,
doesn't take into account that one or more elements can be cleared,
yet still present in a linked list, pointed to by the next field.
Such elements don't contribute to the resulting variable length, an
attempt to append a separator for them ends up in out of bounds write.

This is not possible with standard modules, though at least one third
party module is known to override multi header values this way, so it
makes sense to harden the logic.

The fix restores a generic boundary check.
PROXY protocol v2 TLV variables. 2022-10-12T12:58:16+00:00 Roman Arutyunyan arut@nginx.com 2022-10-12T12:58:16+00:00 50e3ff8a006100feaa0666cf5e4f9fd5fdcfb721 The variables have prefix $proxy_protocol_tlv_ and are accessible by name and by type. Examples are: $proxy_protocol_tlv_0x01, $proxy_protocol_tlv_alpn. 
The variables have prefix $proxy_protocol_tlv_ and are accessible by name
and by type.  Examples are: $proxy_protocol_tlv_0x01, $proxy_protocol_tlv_alpn.
All non-unique input headers are now linked lists. 2022-05-30T18:25:35+00:00 Maxim Dounin mdounin@mdounin.ru 2022-05-30T18:25:35+00:00 fcf4331a0fdaf620a75fc62ce9d31b1295db3b3c The ngx_http_process_multi_header_lines() function is removed, as it is exactly equivalent to ngx_http_process_header_line(). Similarly, ngx_http_variable_header() is used instead of ngx_http_variable_headers(). 
The ngx_http_process_multi_header_lines() function is removed, as it is
exactly equivalent to ngx_http_process_header_line().  Similarly,
ngx_http_variable_header() is used instead of ngx_http_variable_headers().
Reworked multi headers to use linked lists. 2022-05-30T18:25:33+00:00 Maxim Dounin mdounin@mdounin.ru 2022-05-30T18:25:33+00:00 3aef1d693f3cc431563a7e6a6aba6a34e5290f03 Multi headers are now using linked lists instead of arrays. Notably, the following fields were changed: r->headers_in.cookies (renamed to r->headers_in.cookie), r->headers_in.x_forwarded_for, r->headers_out.cache_control, r->headers_out.link, u->headers_in.cache_control u->headers_in.cookies (renamed to u->headers_in.set_cookie). The r->headers_in.cookies and u->headers_in.cookies fields were renamed to r->headers_in.cookie and u->headers_in.set_cookie to match header names. The ngx_http_parse_multi_header_lines() and ngx_http_parse_set_cookie_lines() functions were changed accordingly. With this change, multi headers are now essentially equivalent to normal headers, and following changes will further make them equivalent. 
Multi headers are now using linked lists instead of arrays.  Notably,
the following fields were changed: r->headers_in.cookies (renamed
to r->headers_in.cookie), r->headers_in.x_forwarded_for,
r->headers_out.cache_control, r->headers_out.link, u->headers_in.cache_control
u->headers_in.cookies (renamed to u->headers_in.set_cookie).

The r->headers_in.cookies and u->headers_in.cookies fields were renamed
to r->headers_in.cookie and u->headers_in.set_cookie to match header names.

The ngx_http_parse_multi_header_lines() and ngx_http_parse_set_cookie_lines()
functions were changed accordingly.

With this change, multi headers are now essentially equivalent to normal
headers, and following changes will further make them equivalent.
Combining unknown headers during variables lookup (ticket #1316). 2022-05-30T18:25:32+00:00 Maxim Dounin mdounin@mdounin.ru 2022-05-30T18:25:32+00:00 7dc6f4e25d21588249691aab8c6013c126eae258 Previously, $http_*, $sent_http_*, $sent_trailer_*, $upstream_http_*, and $upstream_trailer_* variables returned only the first header (with a few specially handled exceptions: $http_cookie, $http_x_forwarded_for, $sent_http_cache_control, $sent_http_link). With this change, all headers are returned, combined together. For example, $http_foo variable will be "a, b" if there are "Foo: a" and "Foo: b" headers in the request. Note that $upstream_http_set_cookie will also return all "Set-Cookie" headers (ticket #1843), though this might not be what one want, since the "Set-Cookie" header does not follow the list syntax (see RFC 7230, section 3.2.2). 
Previously, $http_*, $sent_http_*, $sent_trailer_*, $upstream_http_*,
and $upstream_trailer_* variables returned only the first header (with
a few specially handled exceptions: $http_cookie, $http_x_forwarded_for,
$sent_http_cache_control, $sent_http_link).

With this change, all headers are returned, combined together.  For
example, $http_foo variable will be "a, b" if there are "Foo: a" and
"Foo: b" headers in the request.

Note that $upstream_http_set_cookie will also return all "Set-Cookie"
headers (ticket #1843), though this might not be what one want, since
the "Set-Cookie" header does not follow the list syntax (see RFC 7230,
section 3.2.2).
Fixed $content_length cacheability with chunked (ticket #2252). 2021-10-06T15:01:42+00:00 Maxim Dounin mdounin@mdounin.ru 2021-10-06T15:01:42+00:00 c9c3f2f005c43fd885bd78f86e1044261e639bea 






Added $connection_time variable.
2021-04-07T21:16:17+00:00

Maxim Dounin
mdounin@mdounin.ru

2021-04-07T21:16:17+00:00

497acbd0ed4b3f289bde11de207efb0abd1f6fa6












Variables: fixed buffer over-read when evaluating "$arg_".
2020-05-08T16:19:16+00:00

Sergey Kandaurov
pluknet@nginx.com

2020-05-08T16:19:16+00:00

41ecd45a5bb78b2214c4515768a51aff0c57eead












Parsing server PROXY protocol address and port (ticket #1206).
2019-10-21T17:22:30+00:00

Roman Arutyunyan
arut@nginx.com

2019-10-21T17:22:30+00:00

203898505ca4fde338d718960e485891ecd891f6

New variables $proxy_protocol_server_addr and $proxy_protocol_server_port are
added both to HTTP and Stream.





New variables $proxy_protocol_server_addr and $proxy_protocol_server_port are
added both to HTTP and Stream.







Core: moved PROXY protocol fields out of ngx_connection_t.
2019-10-21T15:06:19+00:00

Roman Arutyunyan
arut@nginx.com

2019-10-21T15:06:19+00:00

be932e81a1531a3ba032febad968fc2006c4fa48

Now a new structure ngx_proxy_protocol_t holds these fields.  This allows
to add more PROXY protocol fields in the future without modifying the
connection structure.





Now a new structure ngx_proxy_protocol_t holds these fields.  This allows
to add more PROXY protocol fields in the future without modifying the
connection structure.