nginx.git/src/http, branch release-1.15.6

gRPC: limited allocations due to ping and settings frames.

2018-11-06T13:29:59+00:00

HTTP/2: limit the number of idle state switches.

2018-11-06T13:29:49+00:00

An attack that continuously switches HTTP/2 connection between
idle and active states can result in excessive CPU usage.
This is because when a connection switches to the idle state,
all of its memory pool caches are freed.

This change limits the maximum allowed number of idle state
switches to 10 * http2_max_requests (i.e., 10000 by default).
This limits possible CPU usage in one connection, and also
imposes a limit on the maximum lifetime of a connection.

Initially reported by Gal Goldshtein from F5 Networks.

HTTP/2: flood detection.

2018-11-06T13:29:35+00:00

Fixed uncontrolled memory growth in case peer is flooding us with
some frames (e.g., SETTINGS and PING) and doesn't read data.  Fix
is to limit the number of allocated control frames.

Mp4: fixed reading 64-bit atoms.

2018-11-06T13:29:18+00:00

Previously there was no validation for the size of a 64-bit atom
in an mp4 file.  This could lead to a CPU hog when the size is 0,
or various other problems due to integer underflow when calculating
atom data size, including segmentation fault or worker process
memory disclosure.

Cache: improved keys zone size error reporting.

2018-10-31T13:49:40+00:00

After this change, too small keys zones are explicitly reported as such,
much like in the other modules which use shared memory.

Cache: fixed minimum cache keys zone size limit.

2018-10-31T13:49:39+00:00

Size of a shared memory zones must be at least two pages - one page
for slab allocator internal data, and another page for actual allocations.
Using 8192 instead is wrong, as there are systems with page sizes other
than 4096.

Note well that two pages is usually too low as well.  In particular, cache
is likely to use two allocations of different sizes for global structures,
and at least four pages will be needed to properly allocate cache nodes.
Except in a few very special cases, with keys zone of just two pages nginx
won't be able to start.  Other uses of shared memory impose a limit
of 8 pages, which provides some room for global allocations.  This patch
doesn't try to address this though.

Inspired by ticket #1665.

Upstream: proxy_socket_keepalive and friends.

2018-10-03T11:08:51+00:00

The directives enable the use of the SO_KEEPALIVE option on
upstream connections.  By default, the value is left unchanged.

SSL: fixed segfault on renegotiation (ticket #1646).

2018-10-02T14:46:18+00:00

In e3ba4026c02d (1.15.4) nginx own renegotiation checks were disabled
if SSL_OP_NO_RENEGOTIATION is available.  But since SSL_OP_NO_RENEGOTIATION
is only set on a connection, not in an SSL context, SSL_clear_option()
removed it as long as a matching virtual server was found.  This resulted
in a segmentation fault similar to the one fixed in a6902a941279 (1.9.8),
affecting nginx built with OpenSSL 1.1.0h or higher.

To fix this, SSL_OP_NO_RENEGOTIATION is now explicitly set in
ngx_http_ssl_servername() after adjusting options.  Additionally, instead
of c->ssl->renegotiation we now check c->ssl->handshaked, which seems
to be a more correct flag to test, and will prevent the segmentation fault
from happening even if SSL_OP_NO_RENEGOTIATION is not working.

Cache: status must be less then 599 in *_cache_valid directives.

2018-09-24T17:26:46+00:00

Previously, configurations with typo, for example

    fastcgi_cache_valid 200301 302 5m;

successfully pass configuration test. Adding check for status
codes > 599, and such configurations are now properly rejected.

Removed bgcolor attribute on body in error pages and autoindex.

2018-09-19T14:26:47+00:00

The bgcolor attribute overrides compatibility settings in browsers
and leads to undesirable behavior when the default font color is set
to white in the browser, since font-color is not also overridden.