nginx.git/src, branch release-1.1.15 nginx Disable symlinks: fixed edge cases of path handling. 2012-02-15T12:18:55+00:00 Maxim Dounin mdounin@mdounin.ru 2012-02-15T12:18:55+00:00 32b000bad7df8f0303d74a5c02fbd62e9241d17b This includes non-absolute pathnames, multiple slashes and trailing slashes. In collaboration with Valentin Bartenev. 
This includes non-absolute pathnames, multiple slashes and trailing
slashes.  In collaboration with Valentin Bartenev.
Disable symlinks: cleanup error handling. 2012-02-15T12:17:24+00:00 Maxim Dounin mdounin@mdounin.ru 2012-02-15T12:17:24+00:00 04015a48ca657ac7649401ca75a9414e1b733d63 Notably this fixes NGX_INVALID_FILE/NGX_FILE_ERROR mess, and adds logging of close() errors. In collaboration with Valentin Bartenev. 
Notably this fixes NGX_INVALID_FILE/NGX_FILE_ERROR mess, and adds
logging of close() errors.  In collaboration with Valentin Bartenev.
Support for disable_symlinks in various modules. 2012-02-13T16:32:21+00:00 Andrey Belov defan@nginx.com 2012-02-13T16:32:21+00:00 8ce8f6667f3f14c004148138c0aec3dff79c350b 






Added disable_symlinks directive.
2012-02-13T16:29:04+00:00

Andrey Belov
defan@nginx.com

2012-02-13T16:29:04+00:00

bd1e719bf9c4bc58076e7b52e87be645c9b803f5

To completely disable symlinks (disable_symlinks on)
we use openat(O_NOFOLLOW) for each path component
to avoid races.

To allow symlinks with the same owner (disable_symlinks if_not_owner),
use openat() (followed by fstat()) and fstatat(AT_SYMLINK_NOFOLLOW),
and then compare uids between fstat() and fstatat().

As there is a race between openat() and fstatat() we don't
know if openat() in fact opened symlink or not.  Therefore,
we have to compare uids even if fstatat() reports the opened
component isn't a symlink (as we don't know whether it was
symlink during openat() or not).

Default value is off, i.e. symlinks are allowed.





To completely disable symlinks (disable_symlinks on)
we use openat(O_NOFOLLOW) for each path component
to avoid races.

To allow symlinks with the same owner (disable_symlinks if_not_owner),
use openat() (followed by fstat()) and fstatat(AT_SYMLINK_NOFOLLOW),
and then compare uids between fstat() and fstatat().

As there is a race between openat() and fstatat() we don't
know if openat() in fact opened symlink or not.  Therefore,
we have to compare uids even if fstatat() reports the opened
component isn't a symlink (as we don't know whether it was
symlink during openat() or not).

Default value is off, i.e. symlinks are allowed.







Changed ngx_open_and_stat_file() to use ngx_str_t.
2012-02-13T16:16:45+00:00

Andrey Belov
defan@nginx.com

2012-02-13T16:16:45+00:00

32c8df44d5f53026d92ec24bcf4c864359395e55

No functional changes.





No functional changes.







Added openat()/fstatat().
2012-02-13T16:13:21+00:00

Andrey Belov
defan@nginx.com

2012-02-13T16:13:21+00:00

71205c3fbc530ec810e18b0cfb6f8db5bb8d1cd1












Time parsing cleanup.
2012-02-13T15:41:11+00:00

Maxim Dounin
mdounin@mdounin.ru

2012-02-13T15:41:11+00:00

9f38b20db50a22b434d35c9bf3c5b08d5ddfbd8b

Nuke NGX_PARSE_LARGE_TIME, it's not used since 0.6.30.  The only error
ngx_parse_time() can currently return is NGX_ERROR, check it explicitly
and make sure to cast it to appropriate type (either time_t or ngx_msec_t)
to avoid signedness warnings on platforms with unsigned time_t (notably QNX).





Nuke NGX_PARSE_LARGE_TIME, it's not used since 0.6.30.  The only error
ngx_parse_time() can currently return is NGX_ERROR, check it explicitly
and make sure to cast it to appropriate type (either time_t or ngx_msec_t)
to avoid signedness warnings on platforms with unsigned time_t (notably QNX).







Fixed build with embedded perl and --with-openssl.
2012-02-13T15:38:48+00:00

Maxim Dounin
mdounin@mdounin.ru

2012-02-13T15:38:48+00:00

8cb7134f49bcdded469b3e72415b96794190257e












Core: protection from cycles with named locations and post_action.
2012-02-13T15:35:48+00:00

Maxim Dounin
mdounin@mdounin.ru

2012-02-13T15:35:48+00:00

7dff998495d527041dbd7f48770dfc395ddabaee

Now redirects to named locations are counted against normal uri changes
limit, and post_action respects this limit as well.  As a result at least
the following (bad) configurations no longer trigger infinite cycles:

1. Post action which recursively triggers post action:

    location / {
        post_action /index.html;
    }

2. Post action pointing to nonexistent named location:

    location / {
        post_action @nonexistent;
    }

3. Recursive error page for 500 (Internal Server Error) pointing to
   a nonexistent named location:

    location / {
        recursive_error_pages on;
        error_page 500 @nonexistent;
        return 500;
    }





Now redirects to named locations are counted against normal uri changes
limit, and post_action respects this limit as well.  As a result at least
the following (bad) configurations no longer trigger infinite cycles:

1. Post action which recursively triggers post action:

    location / {
        post_action /index.html;
    }

2. Post action pointing to nonexistent named location:

    location / {
        post_action @nonexistent;
    }

3. Recursive error page for 500 (Internal Server Error) pointing to
   a nonexistent named location:

    location / {
        recursive_error_pages on;
        error_page 500 @nonexistent;
        return 500;
    }







Core: protection from subrequest loops.
2012-02-13T15:33:08+00:00

Maxim Dounin
mdounin@mdounin.ru

2012-02-13T15:33:08+00:00

1b0ad6ee72179fef479bfae7c8c4bfd5ac834c29

Without the protection, subrequest loop results in r->count overflow and
SIGSEGV.  Protection was broken in 0.7.25.

Note that this also limits number of parallel subrequests.  This
wasn't exactly the case before 0.7.25 as local subrequests were
completed directly.

See here for details:
http://nginx.org/pipermail/nginx-ru/2010-February/032184.html





Without the protection, subrequest loop results in r->count overflow and
SIGSEGV.  Protection was broken in 0.7.25.

Note that this also limits number of parallel subrequests.  This
wasn't exactly the case before 0.7.25 as local subrequests were
completed directly.

See here for details:
http://nginx.org/pipermail/nginx-ru/2010-February/032184.html