nginx.git/src/http, branch release-1.30.0 nginx Upstream: reset early_hints_length on upstream reinit. 2026-04-06T16:59:00+00:00 David Carlier devnexen@gmail.com 2026-03-15T15:56:01+00:00 1709bffe6ebb5bfd4d71893d65920fdc4bf82f65 When a request was retried to a new upstream after receiving 103 Early Hints from the previous one, the accumulated early_hints_length was not reset, causing valid early hints from the next upstream to be incorrectly rejected as "too big". 
When a request was retried to a new upstream after receiving 103
Early Hints from the previous one, the accumulated early_hints_length
was not reset, causing valid early hints from the next upstream to be
incorrectly rejected as "too big".
Fix $request_port and $is_request_port in subrequests 2026-04-06T10:53:54+00:00 Zoey zoey@z0ey.de 2026-04-05T09:31:15+00:00 067d766f210ee914b750d79d9284cbf8801058f3 Closes #1247. 
Closes #1247.
Added max_headers directive. 2026-04-06T10:08:36+00:00 Maxim Dounin mdounin@mdounin.ru 2024-05-23T21:20:01+00:00 365694160a85229a7cb006738de9260d49ff5fa2 The directive limits the number of request headers accepted from clients. While the total amount of headers is believed to be sufficiently limited by the existing buffer size limits (client_header_buffer_size and large_client_header_buffers), the additional limit on the number of headers might be beneficial to better protect backend servers. Requested by Maksim Yevmenkin. Signed-off-by: Elijah Zupancic <e.zupancic@f5.com> Origin: <https://freenginx.org/hg/nginx/rev/199dc0d6b05be814b5c811876c20af58cd361fea> 
The directive limits the number of request headers accepted from clients.
While the total amount of headers is believed to be sufficiently limited
by the existing buffer size limits (client_header_buffer_size and
large_client_header_buffers), the additional limit on the number of headers
might be beneficial to better protect backend servers.

Requested by Maksim Yevmenkin.

Signed-off-by: Elijah Zupancic <e.zupancic@f5.com>
Origin: <https://freenginx.org/hg/nginx/rev/199dc0d6b05be814b5c811876c20af58cd361fea>
Upstream: fix integer underflow in charset parsing 2026-04-06T10:07:18+00:00 David Korczynski david@adalogics.com 2026-03-04T09:27:45+00:00 06c30ec29d392af00157c0b0eecbc545b330e50f The issue described below was only reproducible prior to https://github.com/nginx/nginx/commit/7924a4ec6cb35291ea60a5f2a70ac0a034d94ff7 When parsing the `charset` parameter in the `Content-Type` header within `ngx_http_upstream_copy_content_type`, an input such as `charset="` resulted in an integer underflow. In this scenario, both `p` and `last` point to the position immediately following the opening quote. The logic to strip a trailing quote checked `*(last - 1)` without verifying that `last > p`. This caused `last` to be decremented to point to the opening quote itself, making `last < p`. The subsequent length calculation `r->headers_out.charset.len = last - p` resulted in -1, which wrapped to `SIZE_MAX` as `len` is a `size_t`. This invalid length was later passed to `ngx_cpymem` in `ngx_http_header_filter`, leading to an out-of-bounds memory access (detected as `negative-size-param` by AddressSanitizer). The fix ensures `last > p` before attempting to strip a trailing quote, correctly resulting in a zero-length charset for malformed input. The oss-fuzz payload that triggers this issue holds multiple 103 status lines, and it's a sequence of 2 of those Content-Type headers that trigger the ASAN report. Co-authored-by: CodeMender <codemender-patching@google.com> Fixes: https://issues.oss-fuzz.com/issues/486561029 Signed-off-by: David Korczynski <david@adalogics.com> 
The issue described below was only reproducible prior to
https://github.com/nginx/nginx/commit/7924a4ec6cb35291ea60a5f2a70ac0a034d94ff7

When parsing the `charset` parameter in the `Content-Type` header within
`ngx_http_upstream_copy_content_type`, an input such as `charset="`
resulted in an integer underflow.

In this scenario, both `p` and `last` point to the position immediately
following the opening quote. The logic to strip a trailing quote checked
`*(last - 1)` without verifying that `last > p`. This caused `last` to
be decremented to point to the opening quote itself, making `last < p`.

The subsequent length calculation `r->headers_out.charset.len = last - p`
resulted in -1, which wrapped to `SIZE_MAX` as `len` is a `size_t`. This
invalid length was later passed to `ngx_cpymem` in `ngx_http_header_filter`,
leading to an out-of-bounds memory access (detected as
`negative-size-param` by AddressSanitizer).

The fix ensures `last > p` before attempting to strip a trailing quote,
correctly resulting in a zero-length charset for malformed input.

The oss-fuzz payload that triggers this issue holds multiple 103 status
lines, and it's a sequence of 2 of those Content-Type headers that
trigger the ASAN report.

Co-authored-by: CodeMender <codemender-patching@google.com>
Fixes: https://issues.oss-fuzz.com/issues/486561029

Signed-off-by: David Korczynski <david@adalogics.com>
Upstream: fixed processing multiple 103 (early hints) responses. 2026-04-02T16:54:32+00:00 Sergey Kandaurov pluknet@nginx.com 2026-04-02T13:41:56+00:00 7924a4ec6cb35291ea60a5f2a70ac0a034d94ff7 The second 103 response in a row was treated as the final response header. 
The second 103 response in a row was treated as the final response header.
Fixed the "include" directive inside the "geo" block. 2026-03-24T18:20:16+00:00 Eugene Grebenschikov e.grebenshchikov@f5.com 2026-03-12T00:57:05+00:00 0de6e878ba43b55dd23b437c5be1819a55f63ec4 The "include" directive should be able to include multiple files if given a filename mask. Completes remaining changes introduced in da4ffd8. Closes: https://github.com/nginx/nginx/issues/1165 
The "include" directive should be able to include multiple files if
given a filename mask.

Completes remaining changes introduced in da4ffd8.

Closes: https://github.com/nginx/nginx/issues/1165
Dav: destination length validation for COPY and MOVE. 2026-03-24T14:45:25+00:00 Roman Arutyunyan arut@nginx.com 2026-03-16T16:13:03+00:00 9739e755b8dddba82e65ca2a08d079f4c9826b75 Previously, when alias was used in a location with Dav COPY or MOVE enabled, and the destination URI was shorter than the alias, integer underflow could happen in ngx_http_map_uri_to_path(), which could result in heap buffer overwrite, followed by a possible segfault. With some implementations of memcpy(), the segfault could be avoided and the overwrite could result in a change of the source or destination file names to be outside of the location root. Reported by Calif.io in collaboration with Claude and Anthropic Research. 
Previously, when alias was used in a location with Dav COPY or MOVE
enabled, and the destination URI was shorter than the alias, integer
underflow could happen in ngx_http_map_uri_to_path(), which could
result in heap buffer overwrite, followed by a possible segfault.
With some implementations of memcpy(), the segfault could be avoided
and the overwrite could result in a change of the source or destination
file names to be outside of the location root.

Reported by Calif.io in collaboration with Claude and Anthropic Research.
Mp4: fixed possible integer overflow on 32-bit platforms. 2026-03-24T14:44:57+00:00 Roman Arutyunyan arut@nginx.com 2026-03-02T17:12:34+00:00 3568812cf98dfd7661cd7516ecf9b398c134ab3c Previously, a 32-bit overflow could happen while validating atom entries count. This allowed processing of an invalid atom with entrires beyond its boundaries with reads and writes outside of the allocated mp4 buffer. Reported by Prabhav Srinath (sprabhav7). 
Previously, a 32-bit overflow could happen while validating atom entries
count.  This allowed processing of an invalid atom with entrires beyond
its boundaries with reads and writes outside of the allocated mp4 buffer.

Reported by Prabhav Srinath (sprabhav7).
Mp4: avoid zero size buffers in output. 2026-03-24T14:12:29+00:00 Roman Arutyunyan arut@nginx.com 2026-02-21T08:04:36+00:00 7725c372c2fe11ff908b1d6138be219ad694c42f Previously, data validation checks did not cover the cases when the output contained empty buffers. Such buffers are considered illegal and produce "zero size buf in output" alerts. The change rejects the mp4 files which produce such alerts. Also, the change fixes possible buffer overread and overwrite that could happen while processing empty stco and co64 atoms, as reported by Pavel Kohout (Aisle Research) and Tim Becker. 
Previously, data validation checks did not cover the cases when the output
contained empty buffers.  Such buffers are considered illegal and produce
"zero size buf in output" alerts.  The change rejects the mp4 files which
produce such alerts.

Also, the change fixes possible buffer overread and overwrite that could
happen while processing empty stco and co64 atoms, as reported by
Pavel Kohout (Aisle Research) and Tim Becker.
Upstream keepalive: fixed parameter parsing. 2026-03-24T11:38:16+00:00 Roman Arutyunyan arut@nginx.com 2026-03-24T11:12:05+00:00 d787755d50c96b8f0fc1c5c2df62e8ea3bd9031f