nginx.git/src, branch release-1.13.0 nginx HTTP/2: reduced difference to HTTP/1.x in reading request body. 2017-04-24T11:17:13+00:00 Valentin Bartenev vbart@nginx.com 2017-04-24T11:17:13+00:00 55b37eff8f700ea1dd279368d5a4a7b00f3c1344 Particularly, this eliminates difference in behavior for requests without body and deduplicates code. Prodded by Piotr Sikora. 
Particularly, this eliminates difference in behavior for requests without body
and deduplicates code.

Prodded by Piotr Sikora.
HTTP/2: rejecting zero WINDOW_UPDATE with PROTOCOL_ERROR. 2017-04-24T11:16:57+00:00 Valentin Bartenev vbart@nginx.com 2017-04-24T11:16:57+00:00 d35c83a3250bedaa85971ddf2cfcd9b703a256ea It's required by RFC 7540. While there is no real harm from such frames, that should help to detect broken clients. Based on a patch by Piotr Sikora. 
It's required by RFC 7540.  While there is no real harm from such frames,
that should help to detect broken clients.

Based on a patch by Piotr Sikora.
Gzip static: use an appropriate error on memory allocation failure. 2017-04-20T15:26:38+00:00 Sergey Kandaurov pluknet@nginx.com 2017-04-20T15:26:38+00:00 beaaeb9f9e642d1d153ee65569d99499eef624e9 






Cleaned up r->headers_out.headers allocation error handling.
2017-04-20T15:26:37+00:00

Sergey Kandaurov
pluknet@nginx.com

2017-04-20T15:26:37+00:00

9ecf8428645579cf66adc5ba939bf1267924c5bc

If initialization of a header failed for some reason after ngx_list_push(),
leaving the header as is can result in uninitialized memory access by
the header filter or the log module.  The fix is to clear partially
initialized headers in case of errors.

For the Cache-Control header, the fix is to postpone pushing
r->headers_out.cache_control until its value is completed.





If initialization of a header failed for some reason after ngx_list_push(),
leaving the header as is can result in uninitialized memory access by
the header filter or the log module.  The fix is to clear partially
initialized headers in case of errors.

For the Cache-Control header, the fix is to postpone pushing
r->headers_out.cache_control until its value is completed.







Core: signal sender pid logging.
2017-04-20T10:58:16+00:00

Igor Sysoev
igor@sysoev.ru

2017-04-20T10:58:16+00:00

30e26a8c57fab4b7d95eacc7fd5c0bae23364529












Sub filter: restored ngx_http_set_ctx() at the proper place.
2017-04-18T16:55:23+00:00

Sergey Kandaurov
pluknet@nginx.com

2017-04-18T16:55:23+00:00

cb7427d86ccb0483538b7d18a991e1df272167cc

Previously, ngx_http_sub_header_filter() could fail with a partially
initialized context, later accessed in ngx_http_sub_body_filter()
if called from the perl content handler.

The issue had appeared in 2c045e5b8291 (1.9.4).

A better fix would be to handle ngx_http_send_header() errors in
the perl module, though this doesn't seem to be easy enough.





Previously, ngx_http_sub_header_filter() could fail with a partially
initialized context, later accessed in ngx_http_sub_body_filter()
if called from the perl content handler.

The issue had appeared in 2c045e5b8291 (1.9.4).

A better fix would be to handle ngx_http_send_header() errors in
the perl module, though this doesn't seem to be easy enough.







SSL: compatibility with OpenSSL master branch.
2017-04-18T13:08:46+00:00

Sergey Kandaurov
pluknet@nginx.com

2017-04-18T13:08:46+00:00

e8c579a18716395911201d3d5114c03ee018afc9

The SSL_CTRL_SET_CURVES_LIST macro is removed in the OpenSSL master branch.
SSL_CTX_set1_curves_list is preserved as compatibility with previous versions.





The SSL_CTRL_SET_CURVES_LIST macro is removed in the OpenSSL master branch.
SSL_CTX_set1_curves_list is preserved as compatibility with previous versions.







SSL: disabled renegotiation detection in client mode.
2017-04-18T13:08:44+00:00

Sergey Kandaurov
pluknet@nginx.com

2017-04-18T13:08:44+00:00

36be79301e513a97ec170950b6c9216100b2c264

CVE-2009-3555 is no longer relevant and mitigated by the renegotiation
info extension (secure renegotiation).  On the other hand, unexpected
renegotiation still introduces potential security risks, and hence we do
not allow renegotiation on the server side, as we never request renegotiation.

On the client side the situation is different though.  There are backends
which explicitly request renegotiation, and disabled renegotiation
introduces interoperability problems.  This change allows renegotiation
on the client side, and fixes interoperability problems as observed with
such backends (ticket #872).

Additionally, with TLSv1.3 the SSL_CB_HANDSHAKE_START flag is currently set
by OpenSSL when receiving a NewSessionTicket message, and was detected by
nginx as a renegotiation attempt.  This looks like a bug in OpenSSL, though
this change also allows better interoperability till the problem is fixed.





CVE-2009-3555 is no longer relevant and mitigated by the renegotiation
info extension (secure renegotiation).  On the other hand, unexpected
renegotiation still introduces potential security risks, and hence we do
not allow renegotiation on the server side, as we never request renegotiation.

On the client side the situation is different though.  There are backends
which explicitly request renegotiation, and disabled renegotiation
introduces interoperability problems.  This change allows renegotiation
on the client side, and fixes interoperability problems as observed with
such backends (ticket #872).

Additionally, with TLSv1.3 the SSL_CB_HANDSHAKE_START flag is currently set
by OpenSSL when receiving a NewSessionTicket message, and was detected by
nginx as a renegotiation attempt.  This looks like a bug in OpenSSL, though
this change also allows better interoperability till the problem is fixed.







SSL: added support for TLSv1.3 in ssl_protocols directive.
2017-04-18T12:12:38+00:00

Sergey Kandaurov
pluknet@nginx.com

2017-04-18T12:12:38+00:00

9a37eb3a62130473596e0e4c2e388d80bdb14956

Support for the TLSv1.3 protocol will be introduced in OpenSSL 1.1.1.





Support for the TLSv1.3 protocol will be introduced in OpenSSL 1.1.1.







Set UDP datagram source address (ticket #1239).
2017-04-11T13:41:53+00:00

Roman Arutyunyan
arut@nginx.com

2017-04-11T13:41:53+00:00

05841adfb2e5d50dee066b6f92cbb95b78c5b725

Previously, the source IP address of a response UDP datagram could differ from
the original datagram destination address.  This could happen if the server UDP
socket is bound to a wildcard address and the network interface chosen to output
the response packet has a different default address than the destination address
of the original packet.  For example, if two addresses from the same network are
configured on an interface.

Now source address is set explicitly if a response is sent for a server UDP
socket bound to a wildcard address.





Previously, the source IP address of a response UDP datagram could differ from
the original datagram destination address.  This could happen if the server UDP
socket is bound to a wildcard address and the network interface chosen to output
the response packet has a different default address than the destination address
of the original packet.  For example, if two addresses from the same network are
configured on an interface.

Now source address is set explicitly if a response is sent for a server UDP
socket bound to a wildcard address.