nginx.git/src/http, branch release-1.28.1 nginx Proxy: fixed segfault in URI change. 2025-12-23T18:40:33+00:00 Sergey Kandaurov pluknet@nginx.com 2025-11-24T11:57:09+00:00 eec047c936347bb1ebb6266a4c83f31fa9c78e24 If request URI was shorter than location prefix, as after replacement with try_files, location length was used to copy the remaining URI part leading to buffer overread. The fix is to replace full request URI in this case. In the following configuration, request "/123" is changed to "/" when sent to backend. location /1234 { try_files /123 =404; proxy_pass http://127.0.0.1:8080/; } Closes #983 on GitHub. 
If request URI was shorter than location prefix, as after replacement
with try_files, location length was used to copy the remaining URI part
leading to buffer overread.

The fix is to replace full request URI in this case.  In the following
configuration, request "/123" is changed to "/" when sent to backend.

    location /1234 {
        try_files /123 =404;
        proxy_pass http://127.0.0.1:8080/;
    }

Closes #983 on GitHub.
HTTP/2: extended guard for NULL buffer and zero length. 2025-12-23T18:40:33+00:00 Sergey Kandaurov pluknet@nginx.com 2025-11-14T14:14:18+00:00 2b502468588835e479fcd76a2cc0d00394f2c32c In addition to moving memcpy() under the length condition in 15bf6d8cc, which addressed a reported UB due to string function conventions, this is repeated for advancing an input buffer, to make the resulting code more clean and readable. Additionally, although considered harmless for both string functions and additive operators, as previously discussed in GitHub PR 866, this fixes the main source of annoying sanitizer reports in the module. Prodded by UndefinedBehaviorSanitizer (pointer-overflow). 
In addition to moving memcpy() under the length condition in 15bf6d8cc,
which addressed a reported UB due to string function conventions, this
is repeated for advancing an input buffer, to make the resulting code
more clean and readable.

Additionally, although considered harmless for both string functions and
additive operators, as previously discussed in GitHub PR 866, this fixes
the main source of annoying sanitizer reports in the module.

Prodded by UndefinedBehaviorSanitizer (pointer-overflow).
OCSP: fixed invalid type for the 'ssl_ocsp' directive. 2025-12-23T18:40:33+00:00 Roman Semenov r.semenov@f5.com 2025-10-22T18:24:27+00:00 366b5c65ad4b520525865f19bf74e4ee69ca15df 






Upstream: overflow detection in Cache-Control delta-seconds.
2025-12-23T18:40:33+00:00

Sergey Kandaurov
pluknet@nginx.com

2025-09-10T14:39:52+00:00

40aff4f241422084b57c27e38f700bc4f4503f6a

Overflowing calculations are now aligned to the greatest positive integer
as specified in RFC 9111, Section 1.2.2.





Overflowing calculations are now aligned to the greatest positive integer
as specified in RFC 9111, Section 1.2.2.







Fixed inaccurate index directive error report.
2025-12-23T18:40:33+00:00

willmafh
willmafh@hotmail.com

2025-09-08T14:03:30+00:00

ffad76677c1a3a96b0daed4dd4df0bd9e9e6aa65












Auth basic: fixed file descriptor leak on memory allocation error.
2025-12-23T18:40:33+00:00

Sergey Kandaurov
pluknet@nginx.com

2025-08-08T15:44:27+00:00

95b81d1c2080ca826267b593a4434151064bed4e

Found by Coverity (CID 1662016).





Found by Coverity (CID 1662016).







HTTP/2: fixed handling of the ":authority" header.
2025-12-23T18:40:33+00:00

Sergey Kandaurov
pluknet@nginx.com

2025-07-23T10:54:07+00:00

62e757ec60b58b915d71c1d0630c8a6384a62287

Previously, it misused the Host header processing resulting in
400 (Bad Request) errors for a valid request that contains both
":authority" and Host headers with the same value, treating it
after 37984f0be as if client sent more than one Host header.
Such an overly strict handling violates RFC 9113.

The fix is to process ":authority" as a distinct header, similarly
to processing an authority component in the HTTP/1.x request line.
This allows to disambiguate and compare Host and ":authority"
values after all headers were processed.

With this change, the ngx_http_process_request_header() function
can no longer be used here, certain parts were inlined similar to
the HTTP/3 module.

To provide compatibility for misconfigurations that use $http_host
to return the value of the ":authority" header, the Host header,
if missing, is now reconstructed from ":authority".





Previously, it misused the Host header processing resulting in
400 (Bad Request) errors for a valid request that contains both
":authority" and Host headers with the same value, treating it
after 37984f0be as if client sent more than one Host header.
Such an overly strict handling violates RFC 9113.

The fix is to process ":authority" as a distinct header, similarly
to processing an authority component in the HTTP/1.x request line.
This allows to disambiguate and compare Host and ":authority"
values after all headers were processed.

With this change, the ngx_http_process_request_header() function
can no longer be used here, certain parts were inlined similar to
the HTTP/3 module.

To provide compatibility for misconfigurations that use $http_host
to return the value of the ":authority" header, the Host header,
if missing, is now reconstructed from ":authority".







HTTP/2: factored out constructing the Host header.
2025-12-23T18:40:33+00:00

Sergey Kandaurov
pluknet@nginx.com

2025-07-23T10:32:34+00:00

86dacb7ebe16cdac04c8b5317d4c91b7267b1e75

No functional changes.





No functional changes.







HTTP/3: fixed handling of :authority and Host with port.
2025-12-23T18:40:33+00:00

Roman Arutyunyan
arut@nginx.com

2025-06-26T16:19:59+00:00

bbf65b6e87dfc7f3a42651a55406e214a783808c

RFC 9114, Section 4.3.1. specifies a restriction for :authority and Host
coexistence in an HTTP/3 request:

: If both fields are present, they MUST contain the same value.

Previously, this restriction was correctly enforced only for portless
values.  When Host contained a port, the request failed as if :authority
and Host were different, regardless of :authority presence.

This happens because the value of r->headers_in.server used for :authority
has port stripped.  The fix is to use r->host_start / r->host_end instead.





RFC 9114, Section 4.3.1. specifies a restriction for :authority and Host
coexistence in an HTTP/3 request:

: If both fields are present, they MUST contain the same value.

Previously, this restriction was correctly enforced only for portless
values.  When Host contained a port, the request failed as if :authority
and Host were different, regardless of :authority presence.

This happens because the value of r->headers_in.server used for :authority
has port stripped.  The fix is to use r->host_start / r->host_end instead.







HTTP/3: fixed potential type overflow in string literal parser.
2025-12-23T18:40:33+00:00

Sergey Kandaurov
pluknet@nginx.com

2024-09-05T15:35:43+00:00

a5cfa096d26933b1789d86df8af9c12574c23cc5

This might happen for Huffman encoded string literals as the result
of length expansion.  Notably, the maximum length of string literals
is already limited with the "large_client_header_buffers" directive,
so this was only possible with nonsensically large configured limits.





This might happen for Huffman encoded string literals as the result
of length expansion.  Notably, the maximum length of string literals
is already limited with the "large_client_header_buffers" directive,
so this was only possible with nonsensically large configured limits.