nginx.git/src, branch release-1.16.0

Stable branch.

2019-04-23T13:12:17+00:00

Fixed incorrect length handling in ngx_utf8_length().

2019-04-15T17:14:07+00:00

Previously, ngx_utf8_decode() was called from ngx_utf8_length() with
incorrect length, potentially resulting in out-of-bounds read when
handling invalid UTF-8 strings.

In practice out-of-bounds reads are not possible though, as autoindex, the
only user of ngx_utf8_length(), provides null-terminated strings, and
ngx_utf8_decode() anyway returns an errors when it sees a null in the
middle of an UTF-8 sequence.

Reported by Yunbin Liu.

OCSP stapling: fixed segfault with dynamic certificate loading.

2019-04-15T16:13:09+00:00

If OCSP stapling was enabled with dynamic certificate loading, with some
OpenSSL versions (1.0.2o and older, 1.1.0h and older; fixed in 1.0.2p,
1.1.0i, 1.1.1) a segmentation fault might happen.

The reason is that during an abbreviated handshake the certificate
callback is not called, but the certificate status callback was called
(https://github.com/openssl/openssl/issues/1662), leading to NULL being
returned from SSL_get_certificate().

Fix is to explicitly check SSL_get_certificate() result.

Version bump.

2019-04-15T16:13:06+00:00

OCSP stapling: open ssl_stapling_file in binary-mode.

2019-04-03T12:35:39+00:00

OCSP response uses the DER format and as such needs to be opened in binary-mode.
This only has any effect under Win32.

SSL: missing free calls in $ssl_client_s_dn and $ssl_client_i_dn.

2019-03-26T06:33:57+00:00

If X509_get_issuer_name() or X509_get_subject_name() returned NULL,
this could lead to a certificate reference leak.  It cannot happen
in practice though, since each function returns an internal pointer
to a mandatory subfield of the certificate successfully decoded by
d2i_X509() during certificate message processing (closes #1751).

Version bump.

2019-03-26T15:25:08+00:00

Listen port ranges.

2019-03-06T17:46:09+00:00

A range is specified with a dash.  For each port in a range a separate listen
socket is created.

Examples:

    listen 8080-9000;
    listen example.com:80-88;

Removed sorting of getaddrinfo() results.

2019-03-20T17:31:59+00:00

Previously the ngx_inet_resolve_host() function sorted addresses in a way that
IPv4 addresses came before IPv6 addresses.  This was implemented in eaf95350d75c
(1.3.10) along with the introduction of getaddrinfo() which could resolve host
names to IPv6 addresses.  Since the "listen" directive only used the first
address, sorting allowed to preserve "listen" compatibility with the previous
behavior and with the behavior of nginx built without IPv6 support.  Now
"listen" uses all resolved addresses which makes sorting pointless.

Multiple addresses in "listen".

2019-03-15T12:45:56+00:00

Previously only one address was used by the listen directive handler even if
host name resolved to multiple addresses.  Now a separate listening socket is
created for each address.