Skip to content
Snippets Groups Projects
  1. Aug 13, 2019
  2. Aug 01, 2019
    • Maxim Dounin's avatar
      Mail: fixed duplicate resolving. · abe66063
      Maxim Dounin authored
      When using SMTP with SSL and resolver, read events might be enabled
      during address resolving, leading to duplicate ngx_mail_ssl_handshake_handler()
      calls if something arrives from the client, and duplicate session
      initialization - including starting another resolving.  This can lead
      to a segmentation fault if the session is closed after first resolving
      finished.  Fix is to block read events while resolving.
      
      Reported by Robert Norris,
      http://mailman.nginx.org/pipermail/nginx/2019-July/058204.html.
      abe66063
  3. Jul 31, 2019
    • Maxim Dounin's avatar
      Gzip: fixed "zero size buf" alerts after ac5a741d39cf. · 39c40428
      Maxim Dounin authored
      After ac5a741d39cf it is now possible that after zstream.avail_out
      reaches 0 and we allocate additional buffer, there will be no more data
      to put into this buffer, triggering "zero size buf" alert.  Fix is to
      reset b->temporary flag in this case.
      
      Additionally, an optimization added to avoid allocating additional buffer
      in this case, by checking if last deflate() call returned Z_STREAM_END.
      Note that checking for Z_STREAM_END by itself is not enough to fix alerts,
      as deflate() can return Z_STREAM_END without producing any output if the
      buffer is smaller than gzip trailer.
      
      Reported by Witold Filipczyk,
      http://mailman.nginx.org/pipermail/nginx-devel/2019-July/012469.html.
      39c40428
    • Maxim Dounin's avatar
      Version bump. · 6179b98e
      Maxim Dounin authored
      6179b98e
  4. Jul 23, 2019
  5. Jul 19, 2019
  6. Jul 18, 2019
    • Maxim Dounin's avatar
      Xslt: fixed potential buffer overflow with null character. · 21875862
      Maxim Dounin authored
      Due to shortcomings of the ccv->zero flag implementation in complex value
      interface, length of the resulting string from ngx_http_complex_value()
      might either not include terminating null character or include it,
      so the only safe way to work with the result is to use it as a
      null-terminated string.
      
      Reported by Patrick Wollgast.
      21875862
    • Maxim Dounin's avatar
      SSI: avoid potential buffer overflow. · ad42d70f
      Maxim Dounin authored
      When "-" follows a parameter of maximum length, a single byte buffer
      overflow happens, since the error branch does not check parameter length.
      Fix is to avoid saving "-" to the parameter key, and instead use an error
      message with "-" explicitly written.  The message is mostly identical to
      one used in similar cases in the preequal state.
      
      Reported by Patrick Wollgast.
      ad42d70f
    • Maxim Dounin's avatar
      Upstream: fixed EOF handling in unbuffered and upgraded modes. · 20c8c4fe
      Maxim Dounin authored
      With level-triggered event methods it is important to specify
      the NGX_CLOSE_EVENT flag to ngx_handle_read_event(), otherwise
      the event won't be removed, resulting in CPU hog.
      
      Reported by Patrick Wollgast.
      20c8c4fe
    • Maxim Dounin's avatar
      HTTP/2: return error on output on closed stream. · 36dfa020
      Maxim Dounin authored
      Without this, an (incorrect) output on a closed stream could result in
      a socket leak.
      36dfa020
    • Maxim Dounin's avatar
      Core: fixed segfault with too large bucket sizes (ticket #1806). · 55164070
      Maxim Dounin authored
      To save memory hash code uses u_short to store resulting bucket sizes,
      so maximum bucket size is limited to 65536 minus ngx_cacheline_size (larger
      values will be aligned to 65536 which will overflow u_short).  However,
      there were no checks to enforce this, and using larger bucket sizes
      resulted in overflows and segmentation faults.
      
      Appropriate safety checks to enforce this added to ngx_hash_init().
      55164070
  7. Jul 17, 2019
  8. Jul 12, 2019
    • Ilya Leoshkevich's avatar
      Gzip: use zlib to write header and trailer. · cfa13163
      Ilya Leoshkevich authored
      When nginx is used with zlib patched with [1], which provides
      integration with the future IBM Z hardware deflate acceleration, it ends
      up computing CRC32 twice: one time in hardware, which always does this,
      and one time in software by explicitly calling crc32().
      
      crc32() calls were added in changesets 133:b27548f540ad ("nginx-0.0.1-
      2003-09-24-23:51:12 import") and 134:d57c6835225c ("nginx-0.0.1-
      2003-09-26-09:45:21 import") as part of gzip wrapping feature - back
      then zlib did not support it.
      
      However, since then gzip wrapping was implemented in zlib v1.2.0.4,
      and it's already being used by nginx for log compression.
      
      This patch replaces hand-written gzip wrapping with the one provided by
      zlib. It simplifies the code, and makes it avoid computing CRC32 twice
      when using hardware acceleration.
      
      [1] https://github.com/madler/zlib/pull/410
      cfa13163
    • Maxim Dounin's avatar
      29fea7d9
    • Maxim Dounin's avatar
      Perl: expect escaped URIs in $r->internal_redirect(). · 8df08b02
      Maxim Dounin authored
      Similarly to the change in 5491:74bfa803a5aa (1.5.9), we should accept
      properly escaped URIs and unescape them as needed, else it is not possible
      to handle URIs with question marks.
      8df08b02
    • Maxim Dounin's avatar
      Perl: additional ctx->header_sent checks. · 9e883a2e
      Maxim Dounin authored
      As we now have ctx->header_sent flag, it is further used to prevent
      duplicate $r->send_http_header() calls, prevent output before sending
      header, and $r->internal_redirect() after sending header.
      
      Further, $r->send_http_header() protected from calls after
      $r->internal_redirect().
      9e883a2e
    • Maxim Dounin's avatar
      Perl: avoid returning 500 if header was already sent. · 78b39bd6
      Maxim Dounin authored
      Returning NGX_HTTP_INTERNAL_SERVER_ERROR if a perl code died after
      sending header will lead to a "header already sent" alert.  To avoid
      it, we now check if header was already sent, and return NGX_ERROR
      instead if it was.
      78b39bd6
    • Maxim Dounin's avatar
      Perl: avoid redirects on errors. · 12d6b3b4
      Maxim Dounin authored
      Previously, redirects scheduled with $r->internal_redirect() were followed
      even if the code then died.  Now these are ignored and nginx will return
      an error instead.
      12d6b3b4
    • Maxim Dounin's avatar
      Perl: disabled unrelated calls from variable handlers. · cae2e689
      Maxim Dounin authored
      Variable handlers are not expected to send anything to the client, cannot
      sleep or read body, and are not expected to modify the request.  Added
      appropriate protection to prevent accidental foot shooting.
      cae2e689
    • Maxim Dounin's avatar
      Perl: protection against duplicate $r->sleep() calls. · 19887831
      Maxim Dounin authored
      Duplicate $r->sleep() and/or $r->has_request_body() calls result
      in undefined behaviour (in practice, connection leaks were observed).
      To prevent this, croak() added in appropriate places.
      19887831
    • Maxim Dounin's avatar
      Perl: handling of allocation errors. · 9d266efb
      Maxim Dounin authored
      Previously, allocation errors in nginx.xs were more or less ignored,
      potentially resulting in incorrect code execution in specific low-memory
      conditions.  This is changed to use ctx->error bit and croak(), similarly
      to how output errors are now handled.
      
      Note that this is mostly a cosmetic change, as Perl itself exits on memory
      allocation errors, and hence nginx with Perl is hardly usable in low-memory
      conditions.
      9d266efb
    • Maxim Dounin's avatar
      Perl: propagate errors. · 4a0771f9
      Maxim Dounin authored
      When an error happens, the ctx->error bit is now set, and croak()
      is called to terminate further processing.  The ctx->error bit is
      checked in ngx_http_perl_call_handler() to cancel further processing,
      and is also checked in various output functions - to make sure these won't
      be called if croak() was handled by an eval{} in perl code.
      
      In particular, this ensures that output chain won't be called after
      errors, as filters might not expect this to happen.  This fixes some
      segmentation faults under low memory conditions.  Also this stops
      request processing after filter finalization or request body reading
      errors.
      
      For cases where an HTTP error status can be additionally returned (for
      example, 416 (Requested Range Not Satisfiable) from the range filter),
      the ctx->status field is also added.
      4a0771f9
    • Maxim Dounin's avatar
      Perl: reworked perl module to pass ctx instead of request. · eae5e4dd
      Maxim Dounin authored
      This ensures that correct ctx is always available, including after
      filter finalization.  In particular, this fixes a segmentation fault
      with the following configuration:
      
          location / {
              image_filter test;
      
              perl 'sub {
                  my $r = shift;
                  $r->send_http_header();
                  $r->print("foo\n");
                  $r->print("bar\n");
              }';
          }
      
      This also seems to be the only way to correctly handle filter finalization
      in various complex cases, for example, when embedded perl is used both
      in the original handler and in an error page called after filter
      finalization.
      eae5e4dd
  9. Jul 11, 2019
    • Maxim Dounin's avatar
      Perl: removed unneeded NGX_DONE test. · 60e74805
      Maxim Dounin authored
      The NGX_DONE test in ngx_http_perl_handle_request() was introduced
      in 1702:86bb52e28ce0, which also modified ngx_http_perl_call_handler()
      to return NGX_DONE with c->destroyed.  The latter part was then
      removed in 3050:f54b02dbb12b, so NGX_DONE test is no longer needed.
      60e74805
  10. Jun 30, 2019
  11. Jul 09, 2019
  12. Jun 25, 2019
  13. Jun 17, 2019
    • Maxim Dounin's avatar
      Perl: disabled not_modified filter (ticket #1786). · d9887ee2
      Maxim Dounin authored
      Embedded perl does not set any request fields needed for conditional
      requests processing.  Further, filter finalization in the not_modified
      filter can cause segmentation faults due to cleared ctx as in
      ticket #1786.
      
      Before 5fb1e57c758a (1.7.3) the not_modified filter was implicitly disabled
      for perl responses, as r->headers_out.last_modified_time was -1.  This
      change restores this behaviour by using the explicit r->disable_not_modified
      flag.
      
      Note that this patch doesn't try to address perl module robustness against
      filter finalization and other errors returned from filter chains.  It should
      be eventually reworked to handle errors instead of ignoring them.
      d9887ee2
  14. Jun 05, 2019
  15. Jun 03, 2019
    • Roman Arutyunyan's avatar
      Upstream: background cache update before cache send (ticket #1782). · 16ebfa99
      Roman Arutyunyan authored
      In case of filter finalization, essential request fields like r->uri,
      r->args etc could be changed, which affected the cache update subrequest.
      Also, after filter finalization r->cache could be set to NULL, leading to
      null pointer dereference in ngx_http_upstream_cache_background_update().
      The fix is to create background cache update subrequest before sending the
      cached response.
      
      Since initial introduction in 1aeaae6e9446 (1.11.10) background cache update
      subrequest was created after sending the cached response because otherwise it
      blocked the parent request output.  In 9552758a786e (1.13.1) background
      subrequests were introduced to eliminate the delay before sending the final
      part of the cached response.  This also made it possible to create the
      background cache update subrequest before sending the response.
      
      Note that creating the subrequest earlier does not change the fact that in case
      of filter finalization the background cache update subrequest will likely not
      have enough time to successfully update the cache entry.  Filter finalization
      leads to the main request termination as soon the current iteration of request
      processing is complete.
      16ebfa99
  16. May 23, 2019
  17. May 27, 2019
  18. May 21, 2019