nginx.git - nginx

Age	Commit message (Collapse)	Author	Files	Lines
2019-10-15	Fixed header parsing with ignore_invalid_headers switched off.	Ruslan Ermilov	1	-0/+4
	The parsing was broken when the first character of the header name was invalid. Based on a patch by Alan Kemp.
2019-10-08	Fixed URI normalization with merge_slashes switched off.	Maxim Dounin	1	-2/+2
	Previously, "/foo///../bar" was normalized into "/foo/bar" instead of "/foo//bar".
2019-10-08	The "/." and "/.." at the end of URI should be normalized.	Ruslan Ermilov	1	-6/+32

2019-10-08	Improved detection of broken percent encoding in URI.	Ruslan Ermilov	1	-0/+4

2019-09-03	Detect runaway chunks in ngx_http_parse_chunked().	Sergey Kandaurov	1	-0/+3
	As defined in HTTP/1.1, body chunks have the following ABNF: chunk = chunk-size [ chunk-ext ] CRLF chunk-data CRLF where chunk-data is a sequence of chunk-size octets. With this change, chunk-data that doesn't end up with CRLF at chunk-size offset will be treated as invalid, such as in the example provided below: 4 SEE-THIS-AND- 4 THAT 0
2018-05-24	Allowed digits, '+', '-', and '.' in scheme names as per RFC 3986.	Ruslan Ermilov	1	-0/+5

2017-07-17	Parenthesized ASCII-related calculations.	Valentin Bartenev	1	-7/+7
	This also fixes potential undefined behaviour in the range and slice filter modules, caused by local overflows of signed integers in expressions.
2017-04-27	Added missing "fall through" comments (ticket #1259).	Maxim Dounin	1	-0/+3
	Found by gcc7 (-Wimplicit-fallthrough).
2017-04-25	Don't pretend we support HTTP major versions >1 as HTTP/1.1.	Ruslan Ermilov	1	-3/+9

2016-10-10	Allowed '-' in method names.	Maxim Dounin	1	-2/+2
	It is used at least by SOAP (M-POST method, defined by RFC 2774) and by WebDAV versioning (VERSION-CONTROL and BASELINE-CONTROL methods, defined by RFC 3253).
2016-07-07	Avoid left-shifting integers into the sign bit, which is undefined.	Sergey Kandaurov	1	-11/+11
	Found with UndefinedBehaviorSanitizer.
2016-05-18	Added overflow checks for version numbers (ticket #762).	Maxim Dounin	1	-0/+16
	Both minor and major versions are now limited to 999 maximum. In case of r->http_minor, this limit is already implied by the code. Major version, r->http_major, in theory can be up to 65535 with current code, but such values are very unlikely to become real (and, additionally, such values are not allowed by RFC 7230), so the same test was used for r->http_major.
2015-03-17	Overflow detection in ngx_http_parse_chunked().	Ruslan Ermilov	1	-4/+8

2014-07-08	Style: add whitespace between control statement and parentheses.	Piotr Sikora	1	-4/+4
	Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2014-04-29	Upstream: added the "$upstream_cookie_<name>" variables.	Vladimir Homutov	1	-0/+51

2014-03-24	Apply underscores_in_headers also to the first character.	Piotr Sikora	1	-0/+13
	Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2013-12-23	Teach ngx_http_parse_unsafe_uri() how to unescape URIs.	Ruslan Ermilov	1	-3/+60
	This fixes handling of escaped URIs in X-Accel-Redirect (ticket #316), SSI (ticket #240), and DAV.
2013-12-23	Detect more unsafe URIs in ngx_http_parse_unsafe_uri().	Ruslan Ermilov	1	-3/+7
	The following URIs were considered safe: "..", "../foo", and "/foo/..".
2013-11-19	Proper backtracking after space in a request line.	Ruslan Ermilov	1	-0/+2

2013-08-21	Minor ngx_http_parse_request_line() optimization.	Maxim Dounin	1	-0/+3
	Noted by Nils Kuhnhenn.
2013-06-28	Fixed ngx_http_parse_chunked() minimal length calculation.	Maxim Dounin	1	-2/+3
	Minimal data length we expect for further calls was calculated incorrectly if parsing stopped right after parsing chunk size. This might in theory affect clients and/or backends using LF instead of CRLF. Patch by Dmitry Popov.
2013-06-05	Fixed debug logging in ngx_http_parse_complex_uri().	Maxim Dounin	1	-2/+2
	The *u previously logged isn't yet initialized at this point, and Valgrind complains.
2013-05-06	Fixed chunk size parsing.	Maxim Dounin	1	-0/+4

2013-03-20	Preliminary experimental support for SPDY draft 2.	Valentin Bartenev	1	-0/+148

2012-11-21	Request body: adjust b->pos when chunked parsing done.	Maxim Dounin	1	-0/+3
	This is a nop for the current code, though will allow to correctly parse pipelined requests.
2012-11-21	Request body: chunked parsing moved to ngx_http_parse.c from proxy.	Maxim Dounin	1	-0/+253
	No functional changes.
2012-06-05	Win32: normalization of trailing dot inside uri.	Maxim Dounin	1	-0/+20
	Windows treats "/directory./" identical to "/directory/". Do the same when working on Windows. Note that the behaviour is different from one with last path component (where multiple spaces and dots are ignored by Windows).
2012-04-03	Fixed spelling in multiline C comments.	Ruslan Ermilov	1	-1/+1

2012-03-19	For the sake of case/switch code readability, 'fall through'	Maxim Konovalov	1	-0/+1
	comments added.
2012-03-15	Headers with null character are now rejected.	Maxim Dounin	1	-0/+14
	Headers with NUL character aren't allowed by HTTP standard and may cause various security problems. They are now unconditionally rejected.
2012-01-18	Copyright updated.	Maxim Konovalov	1	-0/+1

2011-11-28	Added support for IP-literal in the Host header and request line (ticket #1).	Valentin Bartenev	1	-2/+62
	Additional parsing logic added to correctly handle RFC 3986 compliant IPv6 and IPvFuture characters enclosed in square brackets. The host validation was completely rewritten. The behavior for non IP literals was changed in a more proper and safer way: - Host part is now delimited either by the first colon or by the end of string if there's no colon. Previously the last colon was used as delimiter which allowed substitution of a port number in the $host variable. (e.g. Host: 127.0.0.1:9000:80) - Fixed stripping of the ending dot in the Host header when the host was also followed by a port number. (e.g. Host: nginx.com.:80) - Fixed upper case characters detection. Previously it was broken which led to wasting memory and CPU.
2011-09-15	Protocol version parsing in ngx_http_parse_status_line().	Maxim Dounin	1	-0/+5
	Once we know protocol version, set u->headers_in.connection_close to indicate implicitly assumed connection close with HTTP before 1.1.
2010-06-23	style fix	Igor Sysoev	1	-1/+1

2010-06-15	ngx_http_parse_status_line()	Igor Sysoev	1	-0/+205

2010-06-15	allow spaces in URI	Igor Sysoev	1	-5/+55

2010-06-10	PATCH method	Igor Sysoev	1	-0/+4

2010-06-04	fix "/dir/%3F../" and "/dir/%23../" cases	Igor Sysoev	1	-6/+3

2010-05-24	remove r->zero_in_uri	Igor Sysoev	1	-34/+15

2009-09-25	check unsafe Destination	Igor Sysoev	1	-2/+4

2009-09-14	handle "/../" case more reliably	Igor Sysoev	1	-5/+9

2009-09-02	discrease slightly ngx_http_parse_header_line() size:	Igor Sysoev	1	-2/+1
	this line is not required for LF, however, this case is very seldom
2009-09-01	fix segfault when a header starts with "\rX"	Igor Sysoev	1	-0/+1
	and logging is set to info or debug level
2009-07-20	do not test "..." case since it's Win9x family feature only	Igor Sysoev	1	-72/+0

2009-07-13	allow underscore in request method	Igor Sysoev	1	-2/+2

2009-04-23	ngx_path_separator()	Igor Sysoev	1	-18/+5

2009-04-04	refactor ngx_http_arg() using ngx_strcasestrn(),	Igor Sysoev	1	-8/+8
	back out zero termination introduced in r2138
2009-03-30	fix r2579	Igor Sysoev	1	-0/+2

2009-03-22	style fix: remove tabs	Igor Sysoev	1	-14/+14

2009-03-19	ngx_http_split_args()	Igor Sysoev	1	-0/+34