nginx.git/src/http, branch release-1.23.2 nginx Mp4: disabled duplicate atoms. 2022-10-19T07:53:17+00:00 Roman Arutyunyan arut@nginx.com 2022-10-19T07:53:17+00:00 0d23105373e6d8a720b9826079c077b9b4be919d Most atoms should not appear more than once in a container. Previously, this was not enforced by the module, which could result in worker process crash, memory corruption and disclosure. 
Most atoms should not appear more than once in a container.  Previously,
this was not enforced by the module, which could result in worker process
crash, memory corruption and disclosure.
SSL: improved validation of ssl_session_cache and ssl_ocsp_cache. 2022-10-17T12:24:53+00:00 Sergey Kandaurov pluknet@nginx.com 2022-10-17T12:24:53+00:00 35fce42269bf1c84eadef6660021cefa08a960d7 Now it properly detects invalid shared zone configuration with omitted size. Previously it used to read outside of the buffer boundary. Found with AddressSanitizer. 
Now it properly detects invalid shared zone configuration with omitted size.
Previously it used to read outside of the buffer boundary.

Found with AddressSanitizer.
PROXY protocol v2 TLV variables. 2022-10-12T12:58:16+00:00 Roman Arutyunyan arut@nginx.com 2022-10-12T12:58:16+00:00 50e3ff8a006100feaa0666cf5e4f9fd5fdcfb721 The variables have prefix $proxy_protocol_tlv_ and are accessible by name and by type. Examples are: $proxy_protocol_tlv_0x01, $proxy_protocol_tlv_alpn. 
The variables have prefix $proxy_protocol_tlv_ and are accessible by name
and by type.  Examples are: $proxy_protocol_tlv_0x01, $proxy_protocol_tlv_alpn.
Range filter: clearing of pre-existing Content-Range headers. 2022-07-15T04:01:44+00:00 Maxim Dounin mdounin@mdounin.ru 2022-07-15T04:01:44+00:00 f35475c083d4cfe56647b66387b60c55e25c27d0 Some servers might emit Content-Range header on 200 responses, and this does not seem to contradict RFC 9110: as per RFC 9110, the Content-Range header has no meaning for status codes other than 206 and 416. Previously this resulted in duplicate Content-Range headers in nginx responses handled by the range filter. Fix is to clear pre-existing headers. 
Some servers might emit Content-Range header on 200 responses, and this
does not seem to contradict RFC 9110: as per RFC 9110, the Content-Range
header has no meaning for status codes other than 206 and 416.  Previously
this resulted in duplicate Content-Range headers in nginx responses handled
by the range filter.  Fix is to clear pre-existing headers.
Upstream: optimized use of SSL contexts (ticket #1234). 2022-06-28T23:47:45+00:00 Maxim Dounin mdounin@mdounin.ru 2022-06-28T23:47:45+00:00 d791b4aab418b0cbadbaf079fbb9360269d97941 To ensure optimal use of memory, SSL contexts for proxying are now inherited from previous levels as long as relevant proxy_ssl_* directives are not redefined. Further, when no proxy_ssl_* directives are redefined in a server block, we now preserve plcf->upstream.ssl in the "http" section configuration to inherit it to all servers. Similar changes made in uwsgi, grpc, and stream proxy. 
To ensure optimal use of memory, SSL contexts for proxying are now
inherited from previous levels as long as relevant proxy_ssl_* directives
are not redefined.

Further, when no proxy_ssl_* directives are redefined in a server block,
we now preserve plcf->upstream.ssl in the "http" section configuration
to inherit it to all servers.

Similar changes made in uwsgi, grpc, and stream proxy.
Perl: removed unused variables, forgotten in ef6a3a99a81a. 2022-06-14T06:39:58+00:00 Sergey Kandaurov pluknet@nginx.com 2022-06-14T06:39:58+00:00 21506a2f851c9dbff4bee67fe5b6d199c83c799a 






Mp4: fixed potential overflow in ngx_http_mp4_crop_stts_data().
2022-06-07T18:58:52+00:00

Maxim Dounin
mdounin@mdounin.ru

2022-06-07T18:58:52+00:00

80fc2ddf57558ec43b94220ce2d3d88e2e470c75

Both "count" and "duration" variables are 32-bit, so their product might
potentially overflow.  It is used to reduce 64-bit start_time variable,
and with very large start_time this can result in incorrect seeking.

Found by Coverity (CID 1499904).





Both "count" and "duration" variables are 32-bit, so their product might
potentially overflow.  It is used to reduce 64-bit start_time variable,
and with very large start_time this can result in incorrect seeking.

Found by Coverity (CID 1499904).







Upstream: handling of certificates specified as an empty string.
2022-06-07T16:08:57+00:00

Sergey Kandaurov
pluknet@nginx.com

2022-06-07T16:08:57+00:00

f08dbefadf083b8546423e35d8d12ba27e46efa8

Now, if the directive is given an empty string, such configuration cancels
loading of certificates, in particular, if they would be otherwise inherited
from the previous level.  This restores previous behaviour, before variables
support in certificates was introduced (3ab8e1e2f0f7).





Now, if the directive is given an empty string, such configuration cancels
loading of certificates, in particular, if they would be otherwise inherited
from the previous level.  This restores previous behaviour, before variables
support in certificates was introduced (3ab8e1e2f0f7).







Upstream: fixed X-Accel-Expires/Cache-Control/Expires handling.
2022-06-06T21:07:12+00:00

Maxim Dounin
mdounin@mdounin.ru

2022-06-06T21:07:12+00:00

8df3ad13c5bb10360221f25ca45ae03dd09e1c3b

Previously, if caching was disabled due to Expires in the past, nginx
failed to cache the response even if it was cacheable as per subsequently
parsed Cache-Control header (ticket #964).

Similarly, if caching was disabled due to Expires in the past,
"Cache-Control: no-cache" or "Cache-Control: max-age=0", caching was not
used if it was cacheable as per subsequently parsed X-Accel-Expires header.

Fix is to avoid disabling caching immediately after parsing Expires in
the past or Cache-Control, but rather set flags which are later checked by
ngx_http_upstream_process_headers() (and cleared by "Cache-Control: max-age"
and X-Accel-Expires).

Additionally, now X-Accel-Expires does not prevent parsing of cache control
extensions, notably stale-while-revalidate and stale-if-error.  This
ensures that order of the X-Accel-Expires and Cache-Control headers is not
important.

Prodded by Vadim Fedorenko and Yugo Horie.





Previously, if caching was disabled due to Expires in the past, nginx
failed to cache the response even if it was cacheable as per subsequently
parsed Cache-Control header (ticket #964).

Similarly, if caching was disabled due to Expires in the past,
"Cache-Control: no-cache" or "Cache-Control: max-age=0", caching was not
used if it was cacheable as per subsequently parsed X-Accel-Expires header.

Fix is to avoid disabling caching immediately after parsing Expires in
the past or Cache-Control, but rather set flags which are later checked by
ngx_http_upstream_process_headers() (and cleared by "Cache-Control: max-age"
and X-Accel-Expires).

Additionally, now X-Accel-Expires does not prevent parsing of cache control
extensions, notably stale-while-revalidate and stale-if-error.  This
ensures that order of the X-Accel-Expires and Cache-Control headers is not
important.

Prodded by Vadim Fedorenko and Yugo Horie.







Upstream: fixed build without http cache (broken by cd73509f21e2).
2022-05-30T21:14:11+00:00

Maxim Dounin
mdounin@mdounin.ru

2022-05-30T21:14:11+00:00

bfc5b35827903a3c543b58e4562db8b62021c164