nginx.git/src/http, branch release-1.12.2 nginx Fixed handling of unix sockets in $binary_remote_addr. 2017-10-04T18:19:42+00:00 Maxim Dounin mdounin@mdounin.ru 2017-10-04T18:19:42+00:00 80a2771762f0411300ff01ec24d6481e8518dfff Previously, unix sockets were treated as AF_INET ones, and this may result in buffer overread on Linux, where unbound unix sockets have 2-byte addresses. Note that it is not correct to use just sun_path as a binary representation for unix sockets. This will result in an empty string for unbound unix sockets, and thus behaviour of limit_req and limit_conn will change when switching from $remote_addr to $binary_remote_addr. As such, normal text representation is used. Reported by Stephan Dollberg. 
Previously, unix sockets were treated as AF_INET ones, and this may
result in buffer overread on Linux, where unbound unix sockets have
2-byte addresses.

Note that it is not correct to use just sun_path as a binary representation
for unix sockets.  This will result in an empty string for unbound unix
sockets, and thus behaviour of limit_req and limit_conn will change when
switching from $remote_addr to $binary_remote_addr.  As such, normal text
representation is used.

Reported by Stephan Dollberg.
HTTP/2: enforce writing the sync request body buffer to file. 2017-10-04T18:15:15+00:00 Valentin Bartenev vbart@nginx.com 2017-10-04T18:15:15+00:00 9df7bd3439c172a5acb8a0af8bf57302d1dde56a The sync flag of HTTP/2 request body buffer is used when the size of request body is unknown or bigger than configured "client_body_buffer_size". In this case the buffer points to body data inside the global receive buffer that is used for reading all HTTP/2 connections in the worker process. Thus, when the sync flag is set, the buffer must be flushed to a temporary file, otherwise the request body data can be overwritten. Previously, the sync buffer wasn't flushed to a temporary file if the whole body was received in one DATA frame with the END_STREAM flag and wasn't copied into the HTTP/2 body preread buffer. As a result, the request body might be corrupted (ticket #1384). Now, setting r->request_body_in_file_only enforces writing the sync buffer to a temporary file in all cases. 
The sync flag of HTTP/2 request body buffer is used when the size of request
body is unknown or bigger than configured "client_body_buffer_size".  In this
case the buffer points to body data inside the global receive buffer that is
used for reading all HTTP/2 connections in the worker process.  Thus, when the
sync flag is set, the buffer must be flushed to a temporary file, otherwise
the request body data can be overwritten.

Previously, the sync buffer wasn't flushed to a temporary file if the whole
body was received in one DATA frame with the END_STREAM flag and wasn't
copied into the HTTP/2 body preread buffer.  As a result, the request body
might be corrupted (ticket #1384).

Now, setting r->request_body_in_file_only enforces writing the sync buffer
to a temporary file in all cases.
Range filter: changed type for total length to off_t. 2017-08-10T19:21:23+00:00 Maxim Dounin mdounin@mdounin.ru 2017-08-10T19:21:23+00:00 d80e485863d76a869c6efd6985452d3ff68f3f17 Total length of a response with multiple ranges can be larger than a size_t variable can hold, so type changed to off_t. Previously, an incorrect Content-Length was returned when requesting more than 4G of ranges from a large enough file on a 32-bit system. An additional size_t variable introduced to calculate size of the boundary header buffer, as off_t is not needed here and will require type casts on win32. Reported by Shuxin Yang, http://mailman.nginx.org/pipermail/nginx/2017-July/054384.html. 
Total length of a response with multiple ranges can be larger than a size_t
variable can hold, so type changed to off_t.  Previously, an incorrect
Content-Length was returned when requesting more than 4G of ranges from
a large enough file on a 32-bit system.

An additional size_t variable introduced to calculate size of the boundary
header buffer, as off_t is not needed here and will require type casts on
win32.

Reported by Shuxin Yang,
http://mailman.nginx.org/pipermail/nginx/2017-July/054384.html.
Added missing "fall through" comments (ticket #1259). 2017-04-27T13:57:18+00:00 Maxim Dounin mdounin@mdounin.ru 2017-04-27T13:57:18+00:00 b97145ae6c3fa65b59bff5cb08f72e554c558104 Found by gcc7 (-Wimplicit-fallthrough). 
Found by gcc7 (-Wimplicit-fallthrough).
Range filter: protect from total size overflows. 2017-07-11T13:06:23+00:00 Maxim Dounin mdounin@mdounin.ru 2017-07-11T13:06:23+00:00 455bd729517f770b2e70a5f51f27c713f2e3973e The overflow can be used to circumvent the restriction on total size of ranges introduced in c2a91088b0c0 (1.1.2). Additionally, overflow allows producing ranges with negative start (such ranges can be created by using a suffix, "bytes=-100"; normally this results in 200 due to the total size check). These can result in the following errors in logs: [crit] ... pread() ... failed (22: Invalid argument) [alert] ... sendfile() failed (22: Invalid argument) When using cache, it can be also used to reveal cache file header. It is believed that there are no other negative effects, at least with standard nginx modules. In theory, this can also result in memory disclosure and/or segmentation faults if multiple ranges are allowed, and the response is returned in a single in-memory buffer. This never happens with standard nginx modules though, as well as known 3rd party modules. Fix is to properly protect from possible overflow when incrementing size. 
The overflow can be used to circumvent the restriction on total size of
ranges introduced in c2a91088b0c0 (1.1.2).  Additionally, overflow
allows producing ranges with negative start (such ranges can be created
by using a suffix, "bytes=-100"; normally this results in 200 due to
the total size check).  These can result in the following errors in logs:

[crit] ... pread() ... failed (22: Invalid argument)
[alert] ... sendfile() failed (22: Invalid argument)

When using cache, it can be also used to reveal cache file header.
It is believed that there are no other negative effects, at least with
standard nginx modules.

In theory, this can also result in memory disclosure and/or segmentation
faults if multiple ranges are allowed, and the response is returned in a
single in-memory buffer.  This never happens with standard nginx modules
though, as well as known 3rd party modules.

Fix is to properly protect from possible overflow when incrementing size.
Upstream: allow recovery from "429 Too Many Requests" response. 2017-03-24T09:48:03+00:00 Piotr Sikora piotrsikora@google.com 2017-03-24T09:48:03+00:00 ca1a5057e2a0429350ec2d07c4616a75e34424e3 This change adds "http_429" parameter to "proxy_next_upstream" for retrying rate-limited requests, and to "proxy_cache_use_stale" for serving stale cached responses after being rate-limited. Signed-off-by: Piotr Sikora <piotrsikora@google.com> 
This change adds "http_429" parameter to "proxy_next_upstream" for
retrying rate-limited requests, and to "proxy_cache_use_stale" for
serving stale cached responses after being rate-limited.

Signed-off-by: Piotr Sikora <piotrsikora@google.com>
Added support for "429 Too Many Requests" response (RFC6585). 2017-03-24T09:48:03+00:00 Piotr Sikora piotrsikora@google.com 2017-03-24T09:48:03+00:00 c3ce606652aeac465895ab8eb8c6fc195d7db16b This change adds reason phrase in status line and pretty response body when "429" status code is used in "return", "limit_conn_status" and/or "limit_req_status" directives. Signed-off-by: Piotr Sikora <piotrsikora@google.com> 
This change adds reason phrase in status line and pretty response body
when "429" status code is used in "return", "limit_conn_status" and/or
"limit_req_status" directives.

Signed-off-by: Piotr Sikora <piotrsikora@google.com>
Fixed type. 2017-04-03T06:29:40+00:00 hucongcong hucong.c@foxmail.com 2017-04-03T06:29:40+00:00 9ac9fe2f3ec82455aa561027e91d380d2db0f3af 






Slice filter: prevented slice redirection (ticket #1219).
2017-03-31T18:47:56+00:00

Roman Arutyunyan
arut@nginx.com

2017-03-31T18:47:56+00:00

c31239ffb46586a00e60d957c844ffe63b138144

When a slice subrequest was redirected to a new location, its context was lost.
After its completion, a new slice subrequest for the same slice was created.
This could lead to infinite loop.  Now the slice module makes sure each slice
subrequest starts output with the slice context available.





When a slice subrequest was redirected to a new location, its context was lost.
After its completion, a new slice subrequest for the same slice was created.
This could lead to infinite loop.  Now the slice module makes sure each slice
subrequest starts output with the slice context available.







Slice filter: allowed at most one subrequest at a time.
2017-03-28T11:03:57+00:00

Roman Arutyunyan
arut@nginx.com

2017-03-28T11:03:57+00:00

8c9a66298c627ed4eae2557b322c3f33da97eca4

Previously, if slice main request write handler was called while a slice
subrequest was running, a new subrequest for the same slice was started.





Previously, if slice main request write handler was called while a slice
subrequest was running, a new subrequest for the same slice was started.