nginx.git/src/http, branch release-1.15.4 nginx Cache: status must be less then 599 in *_cache_valid directives. 2018-09-24T17:26:46+00:00 Gena Makhomed gmm@csdoc.com 2018-09-24T17:26:46+00:00 1065455289d72b140f9e63a420b531eaae2d4039 Previously, configurations with typo, for example fastcgi_cache_valid 200301 302 5m; successfully pass configuration test. Adding check for status codes > 599, and such configurations are now properly rejected. 
Previously, configurations with typo, for example

    fastcgi_cache_valid 200301 302 5m;

successfully pass configuration test. Adding check for status
codes > 599, and such configurations are now properly rejected.
Removed bgcolor attribute on body in error pages and autoindex. 2018-09-19T14:26:47+00:00 Nova DasSarma nova@novalinium.com 2018-09-19T14:26:47+00:00 8117b3f5a06b68afb292ddd19bf6ee6000707232 The bgcolor attribute overrides compatibility settings in browsers and leads to undesirable behavior when the default font color is set to white in the browser, since font-color is not also overridden. 
The bgcolor attribute overrides compatibility settings in browsers
and leads to undesirable behavior when the default font color is set
to white in the browser, since font-color is not also overridden.
Rewrite: removed r->err_status special handling (ticket #1634). 2018-09-21T12:59:33+00:00 Maxim Dounin mdounin@mdounin.ru 2018-09-21T12:59:33+00:00 a834b8aa09205922bf11c005b3c737b267be12bb Trying to look into r->err_status in the "return" directive makes it behave differently than real errors generated in other parts of the code, and is an endless source of various problems. This behaviour was introduced in 726:7b71936d5299 (0.4.4) with the comment "fix: "return" always overrode "error_page" response code". It is not clear if there were any real cases this was expected to fix, but there are several cases which are broken due to this change, some previously fixed (4147:7f64de1cc2c0). In ticket #1634, the problem is that when r->err_status is set to a non-special status code, it is not possible to return a response by simply returning r->err_status. If this is the case, the only option is to return script's e->status instead. An example configuration: location / { error_page 404 =200 /err502; return 404; } location = /err502 { return 502; } After the change, such a configuration will properly return standard 502 error, much like it happens when a 502 error is generated by proxy_pass. This also fixes the following configuration to properly close connection as clearly requested by "return 444": location / { error_page 404 /close; return 404; } location = /close { return 444; } Previously, this required "error_page 404 = /close;" to work as intended. 
Trying to look into r->err_status in the "return" directive
makes it behave differently than real errors generated in other
parts of the code, and is an endless source of various problems.
This behaviour was introduced in 726:7b71936d5299 (0.4.4) with
the comment "fix: "return" always overrode "error_page" response code".
It is not clear if there were any real cases this was expected to fix,
but there are several cases which are broken due to this change, some
previously fixed (4147:7f64de1cc2c0).

In ticket #1634, the problem is that when r->err_status is set to
a non-special status code, it is not possible to return a response
by simply returning r->err_status.  If this is the case, the only
option is to return script's e->status instead.  An example
configuration:

    location / {
        error_page 404 =200 /err502;
        return 404;
    }

    location = /err502 {
        return 502;
    }

After the change, such a configuration will properly return
standard 502 error, much like it happens when a 502 error is
generated by proxy_pass.

This also fixes the following configuration to properly close
connection as clearly requested by "return 444":

    location / {
        error_page 404 /close;
        return 404;
    }

    location = /close {
        return 444;
    }

Previously, this required "error_page 404 = /close;" to work
as intended.
Fixed socket leak with "return 444" in error_page (ticket #274). 2018-09-21T12:59:30+00:00 Maxim Dounin mdounin@mdounin.ru 2018-09-21T12:59:30+00:00 e4a3211e2f651c6f25466ba8a8337ea1aa020c53 Socket leak was observed in the following configuration: error_page 400 = /close; location = /close { return 444; } The problem is that "return 444" triggers termination of the request, and due to error_page termination thinks that it needs to use a posted request to clear stack. But at the early request processing where 400 errors are generated there are no ngx_http_run_posted_requests() calls, so the request is only terminated after an external event. Variants of the problem include "error_page 497" instead (ticket #695) and various other errors generated during early request processing (405, 414, 421, 494, 495, 496, 501, 505). The same problem can be also triggered with "return 499" and "return 408" as both codes trigger ngx_http_terminate_request(), much like "return 444". To fix this, the patch adds ngx_http_run_posted_requests() calls to ngx_http_process_request_line() and ngx_http_process_request_headers() functions, and to ngx_http_v2_run_request() and ngx_http_v2_push_stream() functions in HTTP/2. Since the ngx_http_process_request() function is now only called via other functions which call ngx_http_run_posted_requests(), the call there is no longer needed and was removed. 
Socket leak was observed in the following configuration:

    error_page 400 = /close;

    location = /close {
        return 444;
    }

The problem is that "return 444" triggers termination of the request,
and due to error_page termination thinks that it needs to use a posted
request to clear stack.  But at the early request processing where 400
errors are generated there are no ngx_http_run_posted_requests() calls,
so the request is only terminated after an external event.

Variants of the problem include "error_page 497" instead (ticket #695)
and various other errors generated during early request processing
(405, 414, 421, 494, 495, 496, 501, 505).

The same problem can be also triggered with "return 499" and "return 408"
as both codes trigger ngx_http_terminate_request(), much like "return 444".

To fix this, the patch adds ngx_http_run_posted_requests() calls to
ngx_http_process_request_line() and ngx_http_process_request_headers()
functions, and to ngx_http_v2_run_request() and ngx_http_v2_push_stream()
functions in HTTP/2.

Since the ngx_http_process_request() function is now only called via
other functions which call ngx_http_run_posted_requests(), the call
there is no longer needed and was removed.
Lingering close changed to handle NGX_AGAIN. 2018-09-10T15:57:13+00:00 Maxim Dounin mdounin@mdounin.ru 2018-09-10T15:57:13+00:00 278be041ddbd91c28b496ca01213c47cbc96d958 The "do { c->recv() } while (c->read->ready)" form used in the ngx_http_lingering_close_handler() is not really correct, as for example with SSL c->read->ready may be still set when returning NGX_AGAIN due to SSL_ERROR_WANT_WRITE. Therefore the above might be an infinite loop. This doesn't really matter in lingering close, as we shutdown write side of the socket anyway and also disable renegotiation (and even without shutdown and with renegotiation it requires using very large certificate chain and tuning socket buffers to trigger SSL_ERROR_WANT_WRITE). But for the sake of correctness added an NGX_AGAIN check. 
The "do { c->recv() } while (c->read->ready)" form used in the
ngx_http_lingering_close_handler() is not really correct, as for
example with SSL c->read->ready may be still set when returning NGX_AGAIN
due to SSL_ERROR_WANT_WRITE.  Therefore the above might be an infinite loop.

This doesn't really matter in lingering close, as we shutdown write side
of the socket anyway and also disable renegotiation (and even without shutdown
and with renegotiation it requires using very large certificate chain and
tuning socket buffers to trigger SSL_ERROR_WANT_WRITE).  But for the sake of
correctness added an NGX_AGAIN check.
gRPC: disabled keepalive when sending control frames was blocked. 2018-09-03T16:34:02+00:00 Maxim Dounin mdounin@mdounin.ru 2018-09-03T16:34:02+00:00 07dbfd00fff456d05007cc1f35bd5a5b1349ef08 If sending request body was not completed (u->request_body_sent is not set), the upstream keepalive module won't save such a connection. However, it is theoretically possible (though highly unlikely) that sending of some control frames can be blocked after the request body was sent. The ctx->output_blocked flag introduced to disable keepalive in such cases. 
If sending request body was not completed (u->request_body_sent is not set),
the upstream keepalive module won't save such a connection.  However, it
is theoretically possible (though highly unlikely) that sending of some
control frames can be blocked after the request body was sent.  The
ctx->output_blocked flag introduced to disable keepalive in such cases.
gRPC: improved keepalive handling. 2018-09-03T16:34:01+00:00 Maxim Dounin mdounin@mdounin.ru 2018-09-03T16:34:01+00:00 71e152debe7389574967639114dfa7a7107fec8d The code is now able to parse additional control frames after the response is received, and can send control frames as well. This fixes keepalive problems as observed with grpc-c, which can send window update and ping frames after the response, see http://mailman.nginx.org/pipermail/nginx/2018-August/056620.html. 
The code is now able to parse additional control frames after
the response is received, and can send control frames as well.
This fixes keepalive problems as observed with grpc-c, which can
send window update and ping frames after the response, see
http://mailman.nginx.org/pipermail/nginx/2018-August/056620.html.
Uwsgi: added a check on maximum uwsgi request size. 2018-09-03T16:17:06+00:00 Maxim Dounin mdounin@mdounin.ru 2018-09-03T16:17:06+00:00 b71792b11086d9df748f36d02f93d360d135cd7c Requested by Chris Caputo. 
Requested by Chris Caputo.
Uwsgi: style. 2018-09-03T16:17:01+00:00 Maxim Dounin mdounin@mdounin.ru 2018-09-03T16:17:01+00:00 07c3e79b64c793facb22ec498dd0fc1437645e55 






Upstream: fixed request chain traversal (ticket #1618).
2018-08-24T09:19:37+00:00

Vladimir Homutov
vl@nginx.com

2018-08-24T09:19:37+00:00

62821f1c99f3bdb79ddbef2386060a6deb192605

The problem does not manifest itself currently, because in case of
non-buffered reading, chain link created by u->create_request method
consists of a single element.

Found by PVS-Studio.





The problem does not manifest itself currently, because in case of
non-buffered reading, chain link created by u->create_request method
consists of a single element.

Found by PVS-Studio.