nginx.git/src, branch release-1.28.2 nginx Upstream: reinit upstream after reading bad response. 2026-02-04T17:22:23+00:00 Roman Arutyunyan arut@nginx.com 2026-01-28T16:38:38+00:00 6df8054cb21b4e5e857b4489e623a79575c2ab8e Previously, when connecting to a backend, if the read event handler was called before the write event handler, and the received response triggered a next upstream condition, then ngx_http_upstream_reinit() was not called to clean up the old upstream context. This had multiple implications. For all proxy modules, since the last upstream response was not cleaned up, it was mixed with the next upstream response. This could result in ignoring the second response status code, duplicate response headers or reporting old upstream header errors. With ngx_http_grpc_module and ngx_http_proxy_v2_module, ctx->connection was left dangling since the object it referenced was allocated from the last upstream connection pool, which was deleted when freeing last upstream. This lead to use-after-free when trying to reuse this object for the next upstream. 
Previously, when connecting to a backend, if the read event handler was
called before the write event handler, and the received response triggered
a next upstream condition, then ngx_http_upstream_reinit() was not called
to clean up the old upstream context.  This had multiple implications.

For all proxy modules, since the last upstream response was not cleaned up,
it was mixed with the next upstream response.  This could result in ignoring
the second response status code, duplicate response headers or reporting
old upstream header errors.

With ngx_http_grpc_module and ngx_http_proxy_v2_module, ctx->connection
was left dangling since the object it referenced was allocated from the
last upstream connection pool, which was deleted when freeing last upstream.
This lead to use-after-free when trying to reuse this object for the next
upstream.
Upstream: detect premature plain text response from SSL backend. 2026-02-04T17:22:23+00:00 Roman Arutyunyan arut@nginx.com 2026-01-29T09:27:32+00:00 784fa05025cb8cd0c770f99bc79d2794b9f85b6e When connecting to a backend, the connection write event is triggered first in most cases. However if a response arrives quickly enough, both read and write events can be triggered together within the same event loop iteration. In this case the read event handler is called first and the write event handler is called after it. SSL initialization for backend connections happens only in the write event handler since SSL handshake starts with sending Client Hello. Previously, if a backend sent a quick plain text response, it could be parsed by the read event handler prior to starting SSL handshake on the connection. The change adds protection against parsing such responses on SSL-enabled connections. 
When connecting to a backend, the connection write event is triggered
first in most cases.  However if a response arrives quickly enough, both
read and write events can be triggered together within the same event loop
iteration.  In this case the read event handler is called first and the
write event handler is called after it.

SSL initialization for backend connections happens only in the write event
handler since SSL handshake starts with sending Client Hello.  Previously,
if a backend sent a quick plain text response, it could be parsed by the
read event handler prior to starting SSL handshake on the connection.
The change adds protection against parsing such responses on SSL-enabled
connections.
Win32: fixed C4319 warning with MSVC 2022 x86. 2026-02-04T17:22:23+00:00 Aleksei Bavshin a.bavshin@nginx.com 2025-12-23T18:44:13+00:00 dc50b86db8844f3c243ac374fb08beb79495f3cf The warning started to appear in Visual Studio 2022 version 17.14.21, which corresponds to the C/C++ compiler version 19.44.35221. The appropriate fix is to avoid mixing uint64_t and ngx_uint_t in an expression with bitwise operations. We can do that here because both the original shm->size value and the result of the expression are 32-bit platform words. 
The warning started to appear in Visual Studio 2022 version 17.14.21,
which corresponds to the C/C++ compiler version 19.44.35221.

The appropriate fix is to avoid mixing uint64_t and ngx_uint_t in an
expression with bitwise operations.  We can do that here because both
the original shm->size value and the result of the expression are 32-bit
platform words.
Version bump. 2026-02-04T17:22:23+00:00 Roman Arutyunyan arut@nginx.com 2026-02-04T15:55:53+00:00 c9e4b6a5cada25991f8d21ae7f8341647e37cec8 






Proxy: fixed segfault in URI change.
2025-12-23T18:40:33+00:00

Sergey Kandaurov
pluknet@nginx.com

2025-11-24T11:57:09+00:00

eec047c936347bb1ebb6266a4c83f31fa9c78e24

If request URI was shorter than location prefix, as after replacement
with try_files, location length was used to copy the remaining URI part
leading to buffer overread.

The fix is to replace full request URI in this case.  In the following
configuration, request "/123" is changed to "/" when sent to backend.

    location /1234 {
        try_files /123 =404;
        proxy_pass http://127.0.0.1:8080/;
    }

Closes #983 on GitHub.





If request URI was shorter than location prefix, as after replacement
with try_files, location length was used to copy the remaining URI part
leading to buffer overread.

The fix is to replace full request URI in this case.  In the following
configuration, request "/123" is changed to "/" when sent to backend.

    location /1234 {
        try_files /123 =404;
        proxy_pass http://127.0.0.1:8080/;
    }

Closes #983 on GitHub.







HTTP/2: extended guard for NULL buffer and zero length.
2025-12-23T18:40:33+00:00

Sergey Kandaurov
pluknet@nginx.com

2025-11-14T14:14:18+00:00

2b502468588835e479fcd76a2cc0d00394f2c32c

In addition to moving memcpy() under the length condition in 15bf6d8cc,
which addressed a reported UB due to string function conventions, this
is repeated for advancing an input buffer, to make the resulting code
more clean and readable.

Additionally, although considered harmless for both string functions and
additive operators, as previously discussed in GitHub PR 866, this fixes
the main source of annoying sanitizer reports in the module.

Prodded by UndefinedBehaviorSanitizer (pointer-overflow).





In addition to moving memcpy() under the length condition in 15bf6d8cc,
which addressed a reported UB due to string function conventions, this
is repeated for advancing an input buffer, to make the resulting code
more clean and readable.

Additionally, although considered harmless for both string functions and
additive operators, as previously discussed in GitHub PR 866, this fixes
the main source of annoying sanitizer reports in the module.

Prodded by UndefinedBehaviorSanitizer (pointer-overflow).







OCSP: fixed invalid type for the 'ssl_ocsp' directive.
2025-12-23T18:40:33+00:00

Roman Semenov
r.semenov@f5.com

2025-10-22T18:24:27+00:00

366b5c65ad4b520525865f19bf74e4ee69ca15df












SSL: fixed "key values mismatch" with object cache inheritance.
2025-12-23T18:40:33+00:00

Sergey Kandaurov
pluknet@nginx.com

2025-05-29T13:49:48+00:00

592bda7bb6c202e48da8e4181de936f70edff58e

In rare cases, it was possible to get into this error state on reload
with improperly updated file timestamps for certificate and key pairs.

The fix is to retry on X509_R_KEY_VALUES_MISMATCH, similar to 5d5d9adcc.
Additionally, loading SSL certificate is updated to avoid certificates
discarded on retry to appear in ssl->certs and in extra chain.





In rare cases, it was possible to get into this error state on reload
with improperly updated file timestamps for certificate and key pairs.

The fix is to retry on X509_R_KEY_VALUES_MISMATCH, similar to 5d5d9adcc.
Additionally, loading SSL certificate is updated to avoid certificates
discarded on retry to appear in ssl->certs and in extra chain.







Mail: xtext encoding (RFC 3461) in XCLIENT LOGIN.
2025-12-23T18:40:33+00:00

Sergey Kandaurov
pluknet@nginx.com

2025-09-11T14:23:10+00:00

aa714a1e87bfd0f6807f4333a5b354de583e7e92

The XCLIENT command uses xtext encoding for attribute values,
as specified in https://www.postfix.org/XCLIENT_README.html.

Reported by Igor Morgenstern of Aisle Research.





The XCLIENT command uses xtext encoding for attribute values,
as specified in https://www.postfix.org/XCLIENT_README.html.

Reported by Igor Morgenstern of Aisle Research.







Upstream: overflow detection in Cache-Control delta-seconds.
2025-12-23T18:40:33+00:00

Sergey Kandaurov
pluknet@nginx.com

2025-09-10T14:39:52+00:00

40aff4f241422084b57c27e38f700bc4f4503f6a

Overflowing calculations are now aligned to the greatest positive integer
as specified in RFC 9111, Section 1.2.2.





Overflowing calculations are now aligned to the greatest positive integer
as specified in RFC 9111, Section 1.2.2.