nginx.git/src/http, branch release-1.17.7 nginx HTTP/2: introduced separate handler to retry stream close. 2019-12-23T18:25:21+00:00 Maxim Dounin mdounin@mdounin.ru 2019-12-23T18:25:21+00:00 810559665a704957431b387572af99a82039162a When ngx_http_v2_close_stream_handler() is used to retry stream close after queued frames are sent, client timeouts on the stream can be logged multiple times and/or in addition to already happened errors. To resolve this, separate ngx_http_v2_retry_close_stream_handler() was introduced, which does not try to log timeouts. 
When ngx_http_v2_close_stream_handler() is used to retry stream close
after queued frames are sent, client timeouts on the stream can be
logged multiple times and/or in addition to already happened errors.
To resolve this, separate ngx_http_v2_retry_close_stream_handler()
was introduced, which does not try to log timeouts.
HTTP/2: fixed socket leak with queued frames (ticket #1689). 2019-12-23T18:25:17+00:00 Maxim Dounin mdounin@mdounin.ru 2019-12-23T18:25:17+00:00 49709f75b262c483550cc826471839f624765ab1 If a stream is closed with queued frames, it is possible that no further write events will occur on the stream, leading to the socket leak. To fix this, the stream's fake connection read handler is set to ngx_http_v2_close_stream_handler(), to make sure that finalizing the connection with ngx_http_v2_finalize_connection() will be able to close the stream regardless of the current number of queued frames. Additionally, the stream's fake connection fc->error flag is explicitly set, so ngx_http_v2_handle_stream() will post a write event when queued frames are finally sent even if stream flow control window is exhausted. 
If a stream is closed with queued frames, it is possible that no further
write events will occur on the stream, leading to the socket leak.
To fix this, the stream's fake connection read handler is set to
ngx_http_v2_close_stream_handler(), to make sure that finalizing the
connection with ngx_http_v2_finalize_connection() will be able to
close the stream regardless of the current number of queued frames.

Additionally, the stream's fake connection fc->error flag is explicitly
set, so ngx_http_v2_handle_stream() will post a write event when queued
frames are finally sent even if stream flow control window is exhausted.
Dav: added checks for chunked to body presence conditions. 2019-12-23T17:39:27+00:00 Maxim Dounin mdounin@mdounin.ru 2019-12-23T17:39:27+00:00 5e5fa2e9e57b713e445b1737005ff6a202bda8ad These checks were missed when chunked support was introduced. And also added an explicit error message to ngx_http_dav_copy_move_handler() (it was missed for some reason, in contrast to DELETE and MKCOL handlers). 
These checks were missed when chunked support was introduced.  And also
added an explicit error message to ngx_http_dav_copy_move_handler()
(it was missed for some reason, in contrast to DELETE and MKCOL handlers).
Discard request body when redirecting to a URL via error_page. 2019-12-23T12:45:46+00:00 Ruslan Ermilov ru@nginx.com 2019-12-23T12:45:46+00:00 c1be55f97211d38b69ac0c2027e6812ab8b1b94e Reported by Bert JW Regeer and Francisco Oca Gonzalez. 
Reported by Bert JW Regeer and Francisco Oca Gonzalez.
Rewrite: disallow empty replacements. 2019-12-16T12:19:01+00:00 Ruslan Ermilov ru@nginx.com 2019-12-16T12:19:01+00:00 4c031f9a6a879bcc4e86f5b7d4177996c9bca4cd While empty replacements were caught at run-time, parsing code of the "rewrite" directive expects that a minimum length of the "replacement" argument is 1. 
While empty replacements were caught at run-time, parsing code
of the "rewrite" directive expects that a minimum length of the
"replacement" argument is 1.
Tolerate '\0' in URI when mapping URI to path. 2019-12-16T12:19:01+00:00 Ruslan Ermilov ru@nginx.com 2019-12-16T12:19:01+00:00 a5895eb502747f396d3901a948834cd87d5fb0c3 If a rewritten URI has the null character, only a part of URI was copied to a memory buffer allocated for path. In some setups this could be exploited to expose uninitialized memory via the Location header. 
If a rewritten URI has the null character, only a part of URI was
copied to a memory buffer allocated for path.  In some setups this
could be exploited to expose uninitialized memory via the Location
header.
Rewrite: fixed segfault with rewritten URI and "alias". 2019-12-16T12:19:01+00:00 Ruslan Ermilov ru@nginx.com 2019-12-16T12:19:01+00:00 af8ea176a743e97d767b3e1439d549b52dd0367a The "alias" directive cannot be used in the same location where URI was rewritten. This has been detected in the "rewrite ... break" case, but not when the standalone "break" directive was used. This change also fixes proxy_pass with URI component in a similar case: location /aaa/ { rewrite ^ /xxx/yyy; break; proxy_pass http://localhost:8080/bbb/; } Previously, the "/bbb/yyy" would be sent to a backend instead of "/xxx/yyy". And if location's prefix was longer than the rewritten URI, a segmentation fault might occur. 
The "alias" directive cannot be used in the same location where URI
was rewritten.  This has been detected in the "rewrite ... break"
case, but not when the standalone "break" directive was used.

This change also fixes proxy_pass with URI component in a similar
case:

       location /aaa/ {
           rewrite ^ /xxx/yyy;
           break;
           proxy_pass http://localhost:8080/bbb/;
       }

Previously, the "/bbb/yyy" would be sent to a backend instead of
"/xxx/yyy".  And if location's prefix was longer than the rewritten
URI, a segmentation fault might occur.
Fixed request finalization in ngx_http_index_handler(). 2019-12-16T12:19:01+00:00 Ruslan Ermilov ru@nginx.com 2019-12-16T12:19:01+00:00 48086f79ad7d9ac08943312f59215533330617d0 Returning 500 instead of NGX_ERROR is preferable here because header has not yet been sent to the client. 
Returning 500 instead of NGX_ERROR is preferable here because
header has not yet been sent to the client.
Saved some memory allocations. 2019-12-16T12:19:01+00:00 Ruslan Ermilov ru@nginx.com 2019-12-16T12:19:01+00:00 be45a3aa590a5f7e64c6d55e8e0f78565adf4823 In configurations when "root" has variables, some modules unnecessarily allocated memory for the "Location" header value. 
In configurations when "root" has variables, some modules unnecessarily
allocated memory for the "Location" header value.
Dav: fixed Location in successful MKCOL response. 2019-12-16T12:19:01+00:00 Ruslan Ermilov ru@nginx.com 2019-12-16T12:19:01+00:00 6dc0c880e5b94dc507795369196dec5c2f9d2cc2 Instead of reducing URI length to not include the terminating '\0' character in 6ddaac3e0bf7, restore the terminating '/' character. 
Instead of reducing URI length to not include the terminating '\0'
character in 6ddaac3e0bf7, restore the terminating '/' character.