nginx.git/src/http, branch release-1.17.9 nginx Simplified subrequest finalization. 2020-02-28T16:54:13+00:00 Roman Arutyunyan arut@nginx.com 2020-02-28T16:54:13+00:00 76ac67b36f2db9acb2aeb4672f0aeaa8008e7d93 Now it looks similar to what it was before background subrequests were introduced in 9552758a786e. 
Now it looks similar to what it was before background subrequests were
introduced in 9552758a786e.
Fixed premature background subrequest finalization. 2020-03-02T17:07:36+00:00 Dmitry Volyntsev xeioex@nginx.com 2020-03-02T17:07:36+00:00 3733c6fd70a9e9ce64901982621629a8cfcc66a8 When "aio" or "aio threads" is used while processing the response body of an in-memory background subrequest, the subrequest could be finalized with an aio operation still in progress. Upon aio completion either parent request is woken or the old r->write_event_handler is called again. The latter may result in request errors. In either case post_subrequest handler is never called with the full response body, which is typically expected when using in-memory subrequests. Currently in nginx background subrequests are created by the upstream module and the mirror module. The issue does not manifest itself with these subrequests because they are header-only. But it can manifest itself with third-party modules which create in-memory background subrequests. 
When "aio" or "aio threads" is used while processing the response body of an
in-memory background subrequest, the subrequest could be finalized with an aio
operation still in progress.  Upon aio completion either parent request is
woken or the old r->write_event_handler is called again.  The latter may result
in request errors.  In either case post_subrequest handler is never called with
the full response body, which is typically expected when using in-memory
subrequests.

Currently in nginx background subrequests are created by the upstream module
and the mirror module.  The issue does not manifest itself with these
subrequests because they are header-only.  But it can manifest itself with
third-party modules which create in-memory background subrequests.
Added default overwrite in error_page 494. 2020-02-28T14:21:18+00:00 Maxim Dounin mdounin@mdounin.ru 2020-02-28T14:21:18+00:00 6ba18bc35ee1bdf95130ee653adf451928ae8b74 We used to have default error_page overwrite for 495, 496, and 497, so a configuration like error_page 495 /error; will result in error 400, much like without any error_page configured. The 494 status code was introduced later (in 3848:de59ad6bf557, nginx 0.9.4), and relevant changes to ngx_http_core_error_page() were missed, resulting in inconsistent behaviour of "error_page 494" - with error_page configured it results in 494 being returned instead of 400. Reported by Frank Liu, http://mailman.nginx.org/pipermail/nginx/2020-February/058957.html. 
We used to have default error_page overwrite for 495, 496, and 497, so
a configuration like

    error_page 495 /error;

will result in error 400, much like without any error_page configured.

The 494 status code was introduced later (in 3848:de59ad6bf557, nginx 0.9.4),
and relevant changes to ngx_http_core_error_page() were missed, resulting
in inconsistent behaviour of "error_page 494" - with error_page configured
it results in 494 being returned instead of 400.

Reported by Frank Liu,
http://mailman.nginx.org/pipermail/nginx/2020-February/058957.html.
Mp4: fixed possible chunk offset overflow. 2020-02-26T12:10:46+00:00 Roman Arutyunyan arut@nginx.com 2020-02-26T12:10:46+00:00 ba27037a498ed3839648d7a4097b01ed14949f18 In "co64" atom chunk start offset is a 64-bit unsigned integer. When trimming the "mdat" atom, chunk offsets are casted to off_t values which are typically 64-bit signed integers. A specially crafted mp4 file with huge chunk offsets may lead to off_t overflow and result in negative trim boundaries. The consequences of the overflow are: - Incorrect Content-Length header value in the response. - Negative left boundary of the response file buffer holding the trimmed "mdat". This leads to pread()/sendfile() errors followed by closing the client connection. On rare systems where off_t is a 32-bit integer, this scenario is also feasible with the "stco" atom. The fix is to add checks which make sure data chunks referenced by each track are within the mp4 file boundaries. Additionally a few more checks are added to ensure mp4 file consistency and log errors. 
In "co64" atom chunk start offset is a 64-bit unsigned integer.  When trimming
the "mdat" atom, chunk offsets are casted to off_t values which are typically
64-bit signed integers.  A specially crafted mp4 file with huge chunk offsets
may lead to off_t overflow and result in negative trim boundaries.

The consequences of the overflow are:
- Incorrect Content-Length header value in the response.
- Negative left boundary of the response file buffer holding the trimmed "mdat".
  This leads to pread()/sendfile() errors followed by closing the client
  connection.

On rare systems where off_t is a 32-bit integer, this scenario is also feasible
with the "stco" atom.

The fix is to add checks which make sure data chunks referenced by each track
are within the mp4 file boundaries.  Additionally a few more checks are added to
ensure mp4 file consistency and log errors.
Disabled connection reuse while in SSL handshake. 2020-02-27T16:03:21+00:00 Sergey Kandaurov pluknet@nginx.com 2020-02-27T16:03:21+00:00 f909a7dc331621a8638ea46056e437b8be1496da During SSL handshake, the connection could be reused in the OCSP stapling callback, if configured, which subsequently leads to a segmentation fault. 
During SSL handshake, the connection could be reused in the OCSP stapling
callback, if configured, which subsequently leads to a segmentation fault.
Disabled duplicate "Host" headers (ticket #1724). 2020-02-20T13:51:07+00:00 Maxim Dounin mdounin@mdounin.ru 2020-02-20T13:51:07+00:00 37984f0be1a5d608015517a64927d498888fb7ca Duplicate "Host" headers were allowed in nginx 0.7.0 (revision b9de93d804ea) as a workaround for some broken Motorola phones which used to generate requests with two "Host" headers[1]. It is believed that this workaround is no longer relevant. [1] http://mailman.nginx.org/pipermail/nginx-ru/2008-May/017845.html 
Duplicate "Host" headers were allowed in nginx 0.7.0 (revision b9de93d804ea)
as a workaround for some broken Motorola phones which used to generate
requests with two "Host" headers[1].  It is believed that this workaround
is no longer relevant.

[1] http://mailman.nginx.org/pipermail/nginx-ru/2008-May/017845.html
Removed "Transfer-Encoding: identity" support. 2020-02-20T13:19:34+00:00 Maxim Dounin mdounin@mdounin.ru 2020-02-20T13:19:34+00:00 b4d6b70d7f2e8207df02ab354da907475dcab8a5 The "identity" transfer coding has been removed in RFC 7230. It is believed that it is not used in real life, and at the same time it provides a potential attack vector. 
The "identity" transfer coding has been removed in RFC 7230.  It is
believed that it is not used in real life, and at the same time it
provides a potential attack vector.
Disabled multiple Transfer-Encoding headers. 2020-02-20T13:19:29+00:00 Maxim Dounin mdounin@mdounin.ru 2020-02-20T13:19:29+00:00 e64d798edb9950ef32ab98c21c190b513a3e262c We anyway do not support more than one transfer encoding, so accepting requests with multiple Transfer-Encoding headers doesn't make sense. Further, we do not handle multiple headers, and ignore anything but the first header. Reported by Filippo Valsorda. 
We anyway do not support more than one transfer encoding, so accepting
requests with multiple Transfer-Encoding headers doesn't make sense.
Further, we do not handle multiple headers, and ignore anything but
the first header.

Reported by Filippo Valsorda.
Made ngx_http_get_forwarded_addr_internal() non-recursive. 2020-02-11T10:22:44+00:00 Vladimir Homutov vl@nginx.com 2020-02-11T10:22:44+00:00 de5a054b338ab14fc240f1062f023f7f0ef0d605 






HTTP/2: fixed socket leak with an incomplete HEADERS frame.
2020-02-05T13:29:23+00:00

Sergey Kandaurov
pluknet@nginx.com

2020-02-05T13:29:23+00:00

16168dcb01ed5dbf6365be0d9ea0da68bf479194

A connection could get stuck without timers if a client has partially sent
the HEADERS frame such that it was split on the individual header boundary.
In this case, it cannot be processed without the rest of the HEADERS frame.

The fix is to call ngx_http_v2_state_headers_save() in this case.  Normally,
it would be called from the ngx_http_v2_state_header_block() handler on the
next iteration, when there is not enough data to continue processing.  This
isn't the case if recv_buffer became empty and there's no more data to read.





A connection could get stuck without timers if a client has partially sent
the HEADERS frame such that it was split on the individual header boundary.
In this case, it cannot be processed without the rest of the HEADERS frame.

The fix is to call ngx_http_v2_state_headers_save() in this case.  Normally,
it would be called from the ngx_http_v2_state_header_block() handler on the
next iteration, when there is not enough data to continue processing.  This
isn't the case if recv_buffer became empty and there's no more data to read.