Fijxu/nginx-quic
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Compare commits

merge into: Fijxu:quic
Branches Tags
Fijxu:quic
Fijxu:master
Fijxu:stable-1.20
Fijxu:stable-1.18
Fijxu:stable-1.16
Fijxu:stable-1.14
Fijxu:stable-1.12
Fijxu:stable-1.10
Fijxu:stable-1.8
Fijxu:stable-1.6
Fijxu:stable-1.4
Fijxu:stable-1.2
Fijxu:stable-1.0
Fijxu:stable-0.7
Fijxu:stable-0.8
Fijxu:stable-0.5
Fijxu:stable-0.6
Fijxu:radix_with_skip
...
pull from: Fijxu:stable-1.4
Branches Tags
Fijxu:quic
Fijxu:master
Fijxu:stable-1.20
Fijxu:stable-1.18
Fijxu:stable-1.16
Fijxu:stable-1.14
Fijxu:stable-1.12
Fijxu:stable-1.10
Fijxu:stable-1.8
Fijxu:stable-1.6
Fijxu:stable-1.4
Fijxu:stable-1.2
Fijxu:stable-1.0
Fijxu:stable-0.7
Fijxu:stable-0.8
Fijxu:stable-0.5
Fijxu:stable-0.6
Fijxu:radix_with_skip

56 commits
quic ... stable-1.4

Author SHA1 Message Date
Maxim Dounin
879a3da2c3 release-1.4.7 tag 2014-03-18 17:17:09 +04:00
Maxim Dounin
4f682d9f5a nginx-1.4.7-RELEASE 2014-03-18 17:17:09 +04:00
Maxim Dounin
7c6c99a10a SPDY: always check size of data to be saved into state buffer. 2014-03-18 17:00:19 +04:00
Maxim Dounin
135a8680ac FastCGI: f->split_parts reset on request start. 
Additionally, make sure to check for errors from ngx_http_parse_header_line()
call after joining saved parts.  There shouldn't be any errors, though
check may help to catch bugs like missing f->split_parts reset.

Reported by Lucas Molas.
 2014-03-17 15:34:36 +04:00
Maxim Dounin
6e2c0a113f Version bump. 2014-03-18 17:12:28 +04:00
Maxim Dounin
1ebc9c28aa release-1.4.6 tag 2014-03-04 15:46:45 +04:00
Maxim Dounin
12bacef9ba nginx-1.4.6-RELEASE 2014-03-04 15:46:44 +04:00
Maxim Dounin
80b784a1c5 Request body: avoid potential overflow. 2014-03-03 17:39:53 +04:00
Maxim Dounin
df150c6b8b Upstream: ngx_post_event() instead of upgraded call (ticket #503). 
If a request is finalized in the first call to the
ngx_http_upstream_process_upgraded() function, e.g., because upstream
server closed the connection for some reason, in the second call
the u->peer.connection pointer will be null, resulting in segmentation
fault.

Fix is to avoid second direct call, and post event instead.  This ensures
that ngx_http_upstream_process_upgraded() won't be called again if
a request is finalized.
 2014-02-18 17:30:40 +04:00
Maxim Dounin
934095dd34 Version bump. 2014-03-03 17:22:28 +04:00
Maxim Dounin
71e3e75de3 release-1.4.5 tag 2014-02-11 17:24:43 +04:00
Maxim Dounin
a1e7e8babb nginx-1.4.5-RELEASE 2014-02-11 17:24:43 +04:00
Maxim Dounin
e6048f5bb6 Updated OpenSSL used for win32 builds. 2014-01-22 16:10:13 +04:00
Maxim Dounin
7e5dcb3bb7 Fixed TCP_DEFER_ACCEPT handling (ticket #353). 
Backed out 05a56ebb084a, as it turns out that kernel can return connections
without any delay if syncookies are used.  This basically means we can't
assume anything about connections returned with deferred accept set.

To solve original problem the 05a56ebb084a tried to solve, i.e. to don't
wait longer than needed if a connection was accepted after deferred accept
timeout, this patch changes a timeout set with setsockopt(TCP_DEFER_ACCEPT)
to 1 second, unconditionally.  This is believed to be enough for speed
improvements, and doesn't imply major changes to timeouts used.

Note that before 2.6.32 connections were dropped after a timeout.  Though
it is believed that 1s is still appropriate for kernels before 2.6.32,
as previously tcp_synack_retries controlled the actual timeout and 1s results
in more than 1 minute actual timeout by default.
 2014-01-28 15:40:46 +04:00
Maxim Dounin
1b88f85a04 Upstream: reading from a client after connection upgrade. 
Read event on a client connection might have been disabled during
previous processing, and we at least need to handle events.  Calling
ngx_http_upstream_process_upgraded() is a simpliest way to do it.

Notably this change is needed for select, poll and /dev/poll event
methods.

Previous version of this patch was posted here:
http://mailman.nginx.org/pipermail/nginx/2014-January/041839.html
 2014-01-22 16:05:07 +04:00
Maxim Dounin
6ca56c5d32 SSL: fixed $ssl_session_id possible segfault after 97e3769637a7. 
Even during execution of a request it is possible that there will be
no session available, notably in case of renegotiation.  As a result
logging of $ssl_session_id in some cases caused NULL pointer dereference
after revision 97e3769637a7 (1.5.9).  The check added returns an empty
string if there is no session available.
 2014-01-23 18:32:26 +04:00
Maxim Dounin
239327a9b1 SSL: fixed $ssl_session_id variable. 
Previously, it used to contain full session serialized instead of just
a session id, making it almost impossible to use the variable in a safe
way.

Thanks to Ivan Ristić.
 2014-01-22 16:05:06 +04:00
Valentin Bartenev
db4766b488 SPDY: fixed possible segfault. 
While processing a DATA frame, the link to related stream is stored in spdy
connection object as part of connection state.  But this stream can be closed
between receiving parts of the frame.
 2014-01-22 04:58:19 +04:00
Valentin Bartenev
778cd67043 Year 2014. 2014-01-14 16:24:02 +04:00
Maxim Dounin
9a73be2740 Fixed "zero size buf in output" alerts. 
If a request had an empty request body (with Content-Length: 0), and there
were preread data available (e.g., due to a pipelined request in the buffer),
the "zero size buf in output" alert might be logged while proxying the
request to an upstream.

Similar alerts appeared with client_body_in_file_only if a request had an
empty request body.
 2014-01-04 03:32:22 +04:00
Maxim Dounin
eb927f8f2f Request body: fixed r->count increment on allocation failure. 2013-05-11 18:49:19 +04:00
Maxim Dounin
2953968e4f SSL: fixed c->read->ready handling in ngx_ssl_recv(). 
If c->read->ready was reset, but later some data were read from a socket
buffer due to a call to ngx_ssl_recv(), the c->read->ready flag should
be restored if not all data were read from OpenSSL buffers (as kernel
won't notify us about the data anymore).

More details are available here:
http://mailman.nginx.org/pipermail/nginx/2013-November/041178.html
 2013-11-29 17:16:06 +04:00
Maxim Dounin
a443af4ee0 Win32: plugged memory leak. 2013-10-31 18:23:49 +04:00
Maxim Dounin
f1864dc225 Version bump. 2014-02-06 20:49:12 +04:00
Maxim Dounin
a935327d25 release-1.4.4 tag 2013-11-19 15:25:24 +04:00
Maxim Dounin
b59c38e645 nginx-1.4.4-RELEASE 2013-11-19 15:25:24 +04:00
Ruslan Ermilov
efc1b505d9 Proper backtracking after space in a request line. 2013-11-19 06:57:58 +04:00
Maxim Dounin
f04e0507f8 Version bump. 2013-11-19 15:23:03 +04:00
Maxim Dounin
d9cd2a3a2b release-1.4.3 tag 2013-10-08 16:07:14 +04:00
Maxim Dounin
021b91849f nginx-1.4.3-RELEASE 2013-10-08 16:07:13 +04:00
Maxim Dounin
9519db468a Mail: fixed segfault with ssl/starttls at mail{} level and no cert. 
A configuration like "mail { starttls on; server {}}" triggered NULL
pointer dereference in ngx_mail_ssl_merge_conf() as conf->file was not set.
 2013-09-30 22:10:13 +04:00
Maxim Dounin
a6b4e36207 Mail: fixed overrun of allocated memory (ticket #411). 
Reported by Markus Linnala.
 2013-09-30 22:10:08 +04:00
Markus Linnala
78145c347e Core: fix misallocation at ngx_crypt_apr1 (ticket #412). 
Found by using auth_basic.t from mdounin nginx-tests under valgrind.

==10470== Invalid write of size 1
==10470==    at 0x43603D: ngx_crypt_to64 (ngx_crypt.c:168)
==10470==    by 0x43648E: ngx_crypt (ngx_crypt.c:153)
==10470==    by 0x489D8B: ngx_http_auth_basic_crypt_handler (ngx_http_auth_basic_module.c:297)
==10470==    by 0x48A24A: ngx_http_auth_basic_handler (ngx_http_auth_basic_module.c:240)
==10470==    by 0x44EAB9: ngx_http_core_access_phase (ngx_http_core_module.c:1121)
==10470==    by 0x44A822: ngx_http_core_run_phases (ngx_http_core_module.c:895)
==10470==    by 0x44A932: ngx_http_handler (ngx_http_core_module.c:878)
==10470==    by 0x455EEF: ngx_http_process_request (ngx_http_request.c:1852)
==10470==    by 0x456527: ngx_http_process_request_headers (ngx_http_request.c:1283)
==10470==    by 0x456A91: ngx_http_process_request_line (ngx_http_request.c:964)
==10470==    by 0x457097: ngx_http_wait_request_handler (ngx_http_request.c:486)
==10470==    by 0x4411EE: ngx_epoll_process_events (ngx_epoll_module.c:691)
==10470==  Address 0x5866fab is 0 bytes after a block of size 27 alloc'd
==10470==    at 0x4A074CD: malloc (vg_replace_malloc.c:236)
==10470==    by 0x43B251: ngx_alloc (ngx_alloc.c:22)
==10470==    by 0x421B0D: ngx_malloc (ngx_palloc.c:119)
==10470==    by 0x421B65: ngx_pnalloc (ngx_palloc.c:147)
==10470==    by 0x436368: ngx_crypt (ngx_crypt.c:140)
==10470==    by 0x489D8B: ngx_http_auth_basic_crypt_handler (ngx_http_auth_basic_module.c:297)
==10470==    by 0x48A24A: ngx_http_auth_basic_handler (ngx_http_auth_basic_module.c:240)
==10470==    by 0x44EAB9: ngx_http_core_access_phase (ngx_http_core_module.c:1121)
==10470==    by 0x44A822: ngx_http_core_run_phases (ngx_http_core_module.c:895)
==10470==    by 0x44A932: ngx_http_handler (ngx_http_core_module.c:878)
==10470==    by 0x455EEF: ngx_http_process_request (ngx_http_request.c:1852)
==10470==    by 0x456527: ngx_http_process_request_headers (ngx_http_request.c:1283)
==10470==
 2013-09-20 17:57:21 +03:00
Maxim Dounin
843a541c56 Win32: $request_time fixed. 
On win32, time_t is 64 bits wide by default, and passing an ngx_msec_int_t
argument for %T format specifier doesn't work.  This doesn't manifest itself
on other platforms as time_t and ngx_msec_int_t are usually of the same size.
 2013-09-04 20:48:30 +04:00
Maxim Dounin
c7f3d6d3d6 Fixed try_files with empty argument (ticket #390). 2013-08-23 22:18:39 +04:00
Sergey Kandaurov
bbbe730163 Autoindex: improved ngx_de_info() error handling. 
This allows to build a directory listing whenever a loop exists in symbolic
link resolution of the path argument.
 2013-07-30 11:43:21 +04:00
Sergey Kandaurov
9b205847a0 Autoindex: return NGX_ERROR on error if headers were sent. 
This prevents ngx_http_finalize_request() from issuing
ngx_http_special_response_handler() on a freed context.
 2013-07-30 11:43:21 +04:00
Valentin Bartenev
f065eb7eab SPDY: fixed segfault with "client_body_in_file_only" enabled. 
It is possible to send FLAG_FIN in additional empty data frame, even if it is
known from the content-length header that request body is empty.  And Firefox
actually behaves like this (see ticket #357).

To simplify code we sacrificed our microoptimization that did not work right
due to missing check in the ngx_http_spdy_state_data() function for rb->buf
set to NULL.
 2013-07-24 22:24:25 +04:00
Maxim Dounin
e77b5689b6 Version bump. 2013-10-07 20:30:03 +04:00
Maxim Dounin
cb3606270b release-1.4.2 tag 2013-07-17 16:51:21 +04:00
Maxim Dounin
921f7ee59a nginx-1.4.2-RELEASE 2013-07-17 16:51:21 +04:00
Maxim Dounin
96538bee1e Perl: fixed r->header_in("Cookie") (ticket #351). 
It was broken by X-Forwarded-For related changes in f7fe817c92a2 (1.3.14)
as hh->offset is no longer 0 for Cookie.
 2013-06-10 14:35:00 +04:00
Maxim Dounin
28d945a554 Updated zlib used for win32 builds. 2013-06-04 16:16:51 +04:00
Maxim Dounin
15a8682eb4 Win32: accept_mutex now always disabled (ticket #362). 
Use of accept mutex on win32 may result in a deadlock if there are multiple
worker_processes configured and the mutex is grabbed by a process which
can't accept connections.
 2013-05-31 14:59:26 +04:00
Maxim Dounin
9695fa7bc8 Upstream: fixed fail_timeout and max_fails > 1. 
Due to peer->checked always set since rev. c90801720a0c (1.3.0)
by round-robin and least_conn balancers (ip_hash not affected),
the code in ngx_http_upstream_free_round_robin_peer() function
incorrectly reset peer->fails too often.

Reported by Dmitry Popov,
http://mailman.nginx.org/pipermail/nginx-devel/2013-May/003720.html
 2013-05-21 21:47:50 +04:00
Piotr Sikora
3b854154f4 OCSP stapling: fix error logging of successful OCSP responses. 
Due to a bad argument list, nginx worker would crash (SIGSEGV) while
trying to log the fact that it received OCSP response with "revoked"
or "unknown" certificate status.

While there, fix similar (but non-crashing) error a few lines above.

Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
 2013-05-16 15:37:13 -07:00
Ruslan Ermilov
9778d71862 Removed vestiges of SVN. 2013-04-25 17:41:45 +04:00
Maxim Dounin
7818f16a5f Proxy: $proxy_internal_body_length fixed. 
The $proxy_internal_body_length value might change during request lifetime,
notably if proxy_set_body used, and use of a cached value might result in
incorrect upstream requests.

Patch by Lanshun Zhou.
 2013-05-11 21:12:24 +04:00
Maxim Dounin
2330b9682c Fixed build with --with-mail_ssl_module. 
If nginx was compiled without --with-http_ssl_module, but with some
other module which uses OpenSSL (e.g. --with-mail_ssl_module), insufficient
preprocessor check resulted in build failure.  The problem was introduced
by e0a3714a36f8 (1.3.14).

Reported by Roman Arutyunyan.
 2013-05-11 18:49:30 +04:00
Maxim Dounin
4672d90cce Perl: extra "return" removed. 2013-05-11 18:48:56 +04:00
Maxim Dounin
6af91f2351 Version bump. 2013-07-12 14:24:07 +04:00
Maxim Dounin
dc53c416de release-1.4.1 tag 2013-05-06 14:21:38 +04:00
Maxim Dounin
ad0825c491 nginx-1.4.1-RELEASE 2013-05-06 14:20:27 +04:00
Maxim Dounin
6a583e5792 Fixed chunk size parsing. 2013-05-06 14:03:24 +04:00
Maxim Dounin
f2529f730e Version bump. 2013-05-06 14:18:46 +04:00
Maxim Dounin
e944f8c6a4 stable-1.4 branch 2013-05-06 02:12:30 +04:00
31 changed files with 518 additions and 151 deletions
Show stats Expand all files Collapse all files

4
docs/text/LICENSE
View file

@ -1,6 +1,6 @@
/* /*
* Copyright (C) 2002-2013 Igor Sysoev * Copyright (C) 2002-2014 Igor Sysoev
* Copyright (C) 2011-2013 Nginx, Inc. * Copyright (C) 2011-2014 Nginx, Inc.
* All rights reserved. * All rights reserved.
* *
* Redistribution and use in source and binary forms, with or without * Redistribution and use in source and binary forms, with or without

342
docs/xml/nginx/changes.xml
View file

@ -5,6 +5,348 @@
<change_log title="nginx"> <change_log title="nginx">
<changes ver="1.4.7" date="18.03.2014">
<change type="security">
<para lang="ru">
при обработке специально созданного запроса модулем ngx_http_spdy_module
могло происходить переполнение буфера в рабочем процессе,
что потенциально могло приводить к выполнению произвольного кода
(CVE-2014-0133).<br/>
Спасибо Lucas Molas из Programa STIC, Fundación Dr. Manuel
Sadosky, Buenos Aires, Argentina.
</para>
<para lang="en">
a heap memory buffer overflow might occur in a worker process
while handling a specially crafted request by ngx_http_spdy_module,
potentially resulting in arbitrary code execution
(CVE-2014-0133).<br/>
Thanks to Lucas Molas, researcher at Programa STIC, Fundación Dr. Manuel
Sadosky, Buenos Aires, Argentina.
</para>
</change>
<change type="bugfix">
<para lang="ru">
в директиве fastcgi_next_upstream.<br/>
Спасибо Lucas Molas.
</para>
<para lang="en">
in the "fastcgi_next_upstream" directive.<br/>
Thanks to Lucas Molas.
</para>
</change>
</changes>
<changes ver="1.4.6" date="04.03.2014">
<change type="bugfix">
<para lang="ru">
директива client_max_body_size могла не работать
при чтении тела запроса с использованием chunked transfer encoding;
ошибка появилась в 1.3.9.<br/>
Спасибо Lucas Molas.
</para>
<para lang="en">
the "client_max_body_size" directive might not work
when reading a request body using chunked transfer encoding;
the bug had appeared in 1.3.9.<br/>
Thanks to Lucas Molas.
</para>
</change>
<change type="bugfix">
<para lang="ru">
при проксировании WebSocket-соединений
в рабочем процессе мог произойти segmentation fault.
</para>
<para lang="en">
a segmentation fault might occur in a worker process
when proxying WebSocket connections.
</para>
</change>
</changes>
<changes ver="1.4.5" date="11.02.2014">
<change type="bugfix">
<para lang="ru">
переменная $ssl_session_id содержала всю сессию в сериализованном виде
вместо её идентификатора.<br/>
Спасибо Ivan Ristić.
</para>
<para lang="en">
the $ssl_session_id variable contained full session serialized
instead of just a session id.<br/>
Thanks to Ivan Ristić.
</para>
</change>
<change type="bugfix">
<para lang="ru">
клиентские соединения могли сразу закрываться,
если использовался отложенный accept;
ошибка появилась в 1.3.15.
</para>
<para lang="en">
client connections might be immediately closed
if deferred accept was used;
the bug had appeared in 1.3.15.
</para>
</change>
<change type="bugfix">
<para lang="ru">
при проксировании в логах могли появляться сообщения "zero size buf in output";
ошибка появилась в 1.3.9.
</para>
<para lang="en">
alerts "zero size buf in output" might appear in logs while proxying;
the bug had appeared in 1.3.9.
</para>
</change>
<change type="bugfix">
<para lang="ru">
в рабочем процессе мог произойти segmentation fault,
если использовался модуль ngx_http_spdy_module.
</para>
<para lang="en">
a segmentation fault might occur in a worker process
if the ngx_http_spdy_module was used.
</para>
</change>
<change type="bugfix">
<para lang="ru">
при использовании методов обработки соединений select, poll и /dev/poll
проксируемые WebSocket-соединения могли зависать сразу после открытия.
</para>
<para lang="en">
proxied WebSocket connections might hang right after handshake
if the select, poll, or /dev/poll methods were used.
</para>
</change>
<change type="bugfix">
<para lang="ru">
при чтении тела запроса с использованием chunked transfer encoding
по SSL-соединению мог произойти таймаут.
</para>
<para lang="en">
a timeout might occur while reading client request body
in an SSL connection using chunked transfer encoding.
</para>
</change>
<change type="bugfix">
<para lang="ru">
утечки памяти в nginx/Windows.
</para>
<para lang="en">
memory leak in nginx/Windows.
</para>
</change>
</changes>
<changes ver="1.4.4" date="19.11.2013">
<change type="security">
<para lang="ru">
символ, следующий за незакодированным пробелом в строке запроса,
обрабатывался неправильно (CVE-2013-4547);
ошибка появилась в 0.8.41.<br/>
Спасибо Ivan Fratric из Google Security Team.
</para>
<para lang="en">
a character following an unescaped space in a request line
was handled incorrectly (CVE-2013-4547);
the bug had appeared in 0.8.41.<br/>
Thanks to Ivan Fratric of the Google Security Team.
</para>
</change>
</changes>
<changes ver="1.4.3" date="08.10.2013">
<change type="bugfix">
<para lang="ru">
в рабочем процессе мог произойти segmentation fault,
если использовался модуль ngx_http_spdy_module
и директива client_body_in_file_only.
</para>
<para lang="en">
a segmentation fault might occur in a worker process
if the ngx_http_spdy_module was used
with the "client_body_in_file_only" directive.
</para>
</change>
<change type="bugfix">
<para lang="ru">
на старте или во время переконфигурации мог произойти segmentation fault,
если использовалась директива try_files с пустым параметром.
</para>
<para lang="en">
a segmentation fault might occur on start or during reconfiguration
if the "try_files" directive was used with an empty parameter.
</para>
</change>
<change type="bugfix">
<para lang="ru">
переменная $request_time не работала в nginx/Windows.
</para>
<para lang="en">
the $request_time variable did not work in nginx/Windows.
</para>
</change>
<change type="bugfix">
<para lang="ru">
в модуле ngx_http_auth_basic_module
при использовании метода шифрования паролей "$apr1$".<br/>
Спасибо Markus Linnala.
</para>
<para lang="en">
in the ngx_http_auth_basic_module
when using "$apr1$" password encryption method.<br/>
Thanks to Markus Linnala.
</para>
</change>
<change type="bugfix">
<para lang="ru">
в модуле ngx_http_autoindex_module.
</para>
<para lang="en">
in the ngx_http_autoindex_module.
</para>
</change>
<change type="bugfix">
<para lang="ru">
в почтовом прокси-сервере.
</para>
<para lang="en">
in the mail proxy server.
</para>
</change>
</changes>
<changes ver="1.4.2" date="17.07.2013">
<change type="bugfix">
<para lang="ru">
метод $r->header_in() встроенного перла не возвращал значения строк
"Cookie" и "X-Forwarded-For" из заголовка запроса;
ошибка появилась в 1.3.14.
</para>
<para lang="en">
the $r->header_in() embedded perl method did not return value of the
"Cookie" and "X-Forwarded-For" request header lines;
the bug had appeared in 1.3.14.
</para>
</change>
<change type="bugfix">
<para lang="ru">
nginx не собирался с модулем ngx_mail_ssl_module,
но без модуля ngx_http_ssl_module;
ошибка появилась в 1.3.14.
</para>
<para lang="en">
nginx could not be built with the ngx_mail_ssl_module,
but without ngx_http_ssl_module;
the bug had appeared in 1.3.14.
</para>
</change>
<change type="bugfix">
<para lang="ru">
в директиве proxy_set_body.<br/>
Спасибо Lanshun Zhou.
</para>
<para lang="en">
in the "proxy_set_body" directive.<br/>
Thanks to Lanshun Zhou.
</para>
</change>
<change type="bugfix">
<para lang="ru">
параметр fail_timeout директивы server
в блоке upstream мог не работать,
если использовался параметр max_fails;
ошибка появилась в 1.3.0.
</para>
<para lang="en">
the "fail_timeout" parameter of the "server" directive
in the "upstream" context might not work
if "max_fails" parameter was used;
the bug had appeared in 1.3.0.
</para>
</change>
<change type="bugfix">
<para lang="ru">
в рабочем процессе мог произойти segmentation fault,
если использовалась директива ssl_stapling.<br/>
Спасибо Piotr Sikora.
</para>
<para lang="en">
a segmentation fault might occur in a worker process
if the "ssl_stapling" directive was used.<br/>
Thanks to Piotr Sikora.
</para>
</change>
<change type="bugfix">
<para lang="ru">
nginx/Windows мог перестать принимать соединения,
если использовалось несколько рабочих процессов.
</para>
<para lang="en">
nginx/Windows might stop accepting connections
if several worker processes were used.
</para>
</change>
</changes>
<changes ver="1.4.1" date="07.05.2013">
<change type="security">
<para lang="ru">
при обработке специально созданного запроса
мог перезаписываться стек рабочего процесса,
что могло приводить к выполнению произвольного кода (CVE-2013-2028);
ошибка появилась в 1.3.9.<br/>
Спасибо Greg MacManus, iSIGHT Partners Labs.
</para>
<para lang="en">
a stack-based buffer overflow might occur in a worker process
while handling a specially crafted request,
potentially resulting in arbitrary code execution (CVE-2013-2028);
the bug had appeared in 1.3.9.<br/>
Thanks to Greg MacManus, iSIGHT Partners Labs.
</para>
</change>
</changes>
<changes ver="1.4.0" date="24.04.2013"> <changes ver="1.4.0" date="24.04.2013">
<change type="bugfix"> <change type="bugfix">

35
misc/GNUmakefile
View file

@ -3,11 +3,10 @@ VER = $(shell grep 'define NGINX_VERSION' src/core/nginx.h \
| sed -e 's/^.*"\(.*\)".*/\1/') | sed -e 's/^.*"\(.*\)".*/\1/')
NGINX = nginx-$(VER) NGINX = nginx-$(VER)
TEMP = tmp TEMP = tmp
REPO = $(shell svn info | sed -n 's/^Repository Root: //p')
OBJS = objs.msvc8 OBJS = objs.msvc8
OPENSSL = openssl-1.0.1e OPENSSL = openssl-1.0.1f
ZLIB = zlib-1.2.7 ZLIB = zlib-1.2.8
PCRE = pcre-8.32 PCRE = pcre-8.32
@ -38,40 +37,14 @@ release: export
export: export:
rm -rf $(TEMP) rm -rf $(TEMP)
hg archive -X '.hg*' $(TEMP)/$(NGINX)
if [ -d .svn ]; then \
svn export -rHEAD . $(TEMP)/$(NGINX); \
else \
hg archive -X '.hg*' $(TEMP)/$(NGINX); \
fi
RELEASE: RELEASE:
if [ -d .svn ]; then \
$(MAKE) -f misc/GNUmakefile RELEASE.svn; \
else \
$(MAKE) -f misc/GNUmakefile RELEASE.hg; \
fi
$(MAKE) -f misc/GNUmakefile release
RELEASE.hg:
hg ci -m nginx-$(VER)-RELEASE hg ci -m nginx-$(VER)-RELEASE
hg tag -m "release-$(VER) tag" release-$(VER) hg tag -m "release-$(VER) tag" release-$(VER)
$(MAKE) -f misc/GNUmakefile release
RELEASE.svn:
test -d $(TEMP) || mkdir -p $(TEMP)
echo "nginx-$(VER)-RELEASE" > $(TEMP)/message
svn ci -F $(TEMP)/message
echo "release-$(VER) tag" > $(TEMP)/message
svn copy $(REPO)/trunk $(REPO)/tags/release-$(VER) \
-F $(TEMP)/message
svn up
win32: win32:

3
misc/README
View file

@ -1,7 +1,4 @@
GNUmakefile, in svn it is available since 0.4.0 only.
make -f misc/GNUmakefile release make -f misc/GNUmakefile release
the required tools: the required tools:

4
src/core/nginx.h
View file

@ -9,8 +9,8 @@
#define _NGINX_H_INCLUDED_ #define _NGINX_H_INCLUDED_
#define nginx_version 1004000 #define nginx_version 1004007
#define NGINX_VERSION "1.4.0" #define NGINX_VERSION "1.4.7"
#define NGINX_VER "nginx/" NGINX_VERSION #define NGINX_VER "nginx/" NGINX_VERSION
#define NGINX_VAR "NGINX" #define NGINX_VAR "NGINX"

8
src/core/ngx_connection.c
View file

@ -647,7 +647,13 @@ ngx_configure_listening_sockets(ngx_cycle_t *cycle)
if (ls[i].add_deferred || ls[i].delete_deferred) { if (ls[i].add_deferred || ls[i].delete_deferred) {
if (ls[i].add_deferred) { if (ls[i].add_deferred) {
timeout = (int) (ls[i].post_accept_timeout / 1000); /*
* There is no way to find out how long a connection was
* in queue (and a connection may bypass deferred queue at all
* if syncookies were used), hence we use 1 second timeout
* here.
*/
timeout = 1;
} else { } else {
timeout = 0; timeout = 0;

2
src/core/ngx_crypt.c
View file

@ -137,7 +137,7 @@ ngx_crypt_apr1(ngx_pool_t *pool, u_char *key, u_char *salt, u_char **encrypted)
/* output */ /* output */
*encrypted = ngx_pnalloc(pool, sizeof("$apr1$") - 1 + saltlen + 16 + 1); *encrypted = ngx_pnalloc(pool, sizeof("$apr1$") - 1 + saltlen + 1 + 22 + 1);
if (*encrypted == NULL) { if (*encrypted == NULL) {
return NGX_ERROR; return NGX_ERROR;
} }

11
src/event/ngx_event.c
View file

@ -607,6 +607,17 @@ ngx_event_process_init(ngx_cycle_t *cycle)
ngx_use_accept_mutex = 0; ngx_use_accept_mutex = 0;
} }
#if (NGX_WIN32)
/*
* disable accept mutex on win32 as it may cause deadlock if
* grabbed by a process which can't accept connections
*/
ngx_use_accept_mutex = 0;
#endif
#if (NGX_THREADS) #if (NGX_THREADS)
ngx_posted_events_mutex = ngx_mutex_init(cycle->log, 0); ngx_posted_events_mutex = ngx_mutex_init(cycle->log, 0);
if (ngx_posted_events_mutex == NULL) { if (ngx_posted_events_mutex == NULL) {

25
src/event/ngx_event_openssl.c
View file

@ -965,6 +965,7 @@ ngx_ssl_recv(ngx_connection_t *c, u_char *buf, size_t size)
size -= n; size -= n;
if (size == 0) { if (size == 0) {
c->read->ready = 1;
return bytes; return bytes;
} }
@ -974,6 +975,10 @@ ngx_ssl_recv(ngx_connection_t *c, u_char *buf, size_t size)
} }
if (bytes) { if (bytes) {
if (c->ssl->last != NGX_AGAIN) {
c->read->ready = 1;
}
return bytes; return bytes;
} }
@ -2224,32 +2229,26 @@ ngx_int_t
ngx_ssl_get_session_id(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) ngx_ssl_get_session_id(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
{ {
int len; int len;
u_char *p, *buf; u_char *buf;
SSL_SESSION *sess; SSL_SESSION *sess;
sess = SSL_get0_session(c->ssl->connection); sess = SSL_get0_session(c->ssl->connection);
if (sess == NULL) {
len = i2d_SSL_SESSION(sess, NULL); s->len = 0;
return NGX_OK;
buf = ngx_alloc(len, c->log);
if (buf == NULL) {
return NGX_ERROR;
} }
buf = sess->session_id;
len = sess->session_id_length;
s->len = 2 * len; s->len = 2 * len;
s->data = ngx_pnalloc(pool, 2 * len); s->data = ngx_pnalloc(pool, 2 * len);
if (s->data == NULL) { if (s->data == NULL) {
ngx_free(buf);
return NGX_ERROR; return NGX_ERROR;
} }
p = buf;
i2d_SSL_SESSION(sess, &p);
ngx_hex_dump(s->data, buf, len); ngx_hex_dump(s->data, buf, len);
ngx_free(buf);
return NGX_OK; return NGX_OK;
} }

5
src/event/ngx_event_openssl_stapling.c
View file

@ -611,15 +611,14 @@ ngx_ssl_stapling_ocsp_handler(ngx_ssl_ocsp_ctx_t *ctx)
!= 1) != 1)
{ {
ngx_log_error(NGX_LOG_ERR, ctx->log, 0, ngx_log_error(NGX_LOG_ERR, ctx->log, 0,
"certificate status not found in the OCSP response", "certificate status not found in the OCSP response");
n, OCSP_response_status_str(n));
goto error; goto error;
} }
if (n != V_OCSP_CERTSTATUS_GOOD) { if (n != V_OCSP_CERTSTATUS_GOOD) {
ngx_log_error(NGX_LOG_ERR, ctx->log, 0, ngx_log_error(NGX_LOG_ERR, ctx->log, 0,
"certificate status \"%s\" in the OCSP response", "certificate status \"%s\" in the OCSP response",
n, OCSP_cert_status_str(n)); OCSP_cert_status_str(n));
goto error; goto error;
} }

6
src/http/modules/ngx_http_autoindex_module.c
View file

@ -304,7 +304,7 @@ ngx_http_autoindex_handler(ngx_http_request_t *r)
if (ngx_de_info(filename, &dir) == NGX_FILE_ERROR) { if (ngx_de_info(filename, &dir) == NGX_FILE_ERROR) {
err = ngx_errno; err = ngx_errno;
if (err != NGX_ENOENT) { if (err != NGX_ENOENT && err != NGX_ELOOP) {
ngx_log_error(NGX_LOG_CRIT, r->connection->log, err, ngx_log_error(NGX_LOG_CRIT, r->connection->log, err,
ngx_de_info_n " \"%s\" failed", filename); ngx_de_info_n " \"%s\" failed", filename);
@ -388,7 +388,7 @@ ngx_http_autoindex_handler(ngx_http_request_t *r)
b = ngx_create_temp_buf(r->pool, len); b = ngx_create_temp_buf(r->pool, len);
if (b == NULL) { if (b == NULL) {
return NGX_HTTP_INTERNAL_SERVER_ERROR; return NGX_ERROR;
} }
if (entries.nelts > 1) { if (entries.nelts > 1) {
@ -649,7 +649,7 @@ ngx_http_autoindex_error(ngx_http_request_t *r, ngx_dir_t *dir, ngx_str_t *name)
ngx_close_dir_n " \"%V\" failed", name); ngx_close_dir_n " \"%V\" failed", name);
} }
return NGX_HTTP_INTERNAL_SERVER_ERROR; return r->header_sent ? NGX_ERROR : NGX_HTTP_INTERNAL_SERVER_ERROR;
} }

11
src/http/modules/ngx_http_fastcgi_module.c
View file

@ -1195,6 +1195,10 @@ ngx_http_fastcgi_reinit_request(ngx_http_request_t *r)
f->fastcgi_stdout = 0; f->fastcgi_stdout = 0;
f->large_stderr = 0; f->large_stderr = 0;
if (f->split_parts) {
f->split_parts->nelts = 0;
}
r->state = 0; r->state = 0;
return NGX_OK; return NGX_OK;
@ -1475,6 +1479,13 @@ ngx_http_fastcgi_process_header(ngx_http_request_t *r)
rc = ngx_http_parse_header_line(r, &buf, 1); rc = ngx_http_parse_header_line(r, &buf, 1);
if (rc != NGX_OK) {
ngx_log_error(NGX_LOG_ALERT, r->connection->log, 0,
"invalid header after joining "
"FastCGI records");
return NGX_ERROR;
}
h->key.len = r->header_name_end - r->header_name_start; h->key.len = r->header_name_end - r->header_name_start;
h->key.data = r->header_name_start; h->key.data = r->header_name_start;
h->key.data[h->key.len] = '\0'; h->key.data[h->key.len] = '\0';

2
src/http/modules/ngx_http_log_module.c
View file

@ -780,7 +780,7 @@ ngx_http_log_request_time(ngx_http_request_t *r, u_char *buf,
((tp->sec - r->start_sec) * 1000 + (tp->msec - r->start_msec)); ((tp->sec - r->start_sec) * 1000 + (tp->msec - r->start_msec));
ms = ngx_max(ms, 0); ms = ngx_max(ms, 0);
return ngx_sprintf(buf, "%T.%03M", ms / 1000, ms % 1000); return ngx_sprintf(buf, "%T.%03M", (time_t) ms / 1000, ms % 1000);
} }

3
src/http/modules/ngx_http_proxy_module.c
View file

@ -615,7 +615,8 @@ static ngx_http_variable_t ngx_http_proxy_vars[] = {
#endif #endif
{ ngx_string("proxy_internal_body_length"), NULL, { ngx_string("proxy_internal_body_length"), NULL,
ngx_http_proxy_internal_body_length_variable, 0, NGX_HTTP_VAR_NOHASH, 0 }, ngx_http_proxy_internal_body_length_variable, 0,
NGX_HTTP_VAR_NOCACHEABLE|NGX_HTTP_VAR_NOHASH, 0 },
{ ngx_null_string, NULL, NULL, 0, 0, 0 } { ngx_null_string, NULL, NULL, 0, 0, 0 }
}; };

5
src/http/modules/ngx_http_upstream_least_conn_module.c
View file

@ -282,7 +282,10 @@ ngx_http_upstream_get_least_conn_peer(ngx_peer_connection_t *pc, void *data)
} }
best->current_weight -= total; best->current_weight -= total;
best->checked = now;
if (now - best->checked > best->fail_timeout) {
best->checked = now;
}
pc->sockaddr = best->sockaddr; pc->sockaddr = best->sockaddr;
pc->socklen = best->socklen; pc->socklen = best->socklen;

38
src/http/modules/perl/nginx.xs
View file

@ -222,10 +222,11 @@ header_in(r, key)
dXSTARG; dXSTARG;
ngx_http_request_t *r; ngx_http_request_t *r;
SV *key; SV *key;
u_char *p, *lowcase_key, *cookie; u_char *p, *lowcase_key, *value, sep;
STRLEN len; STRLEN len;
ssize_t size; ssize_t size;
ngx_uint_t i, n, hash; ngx_uint_t i, n, hash;
ngx_array_t *a;
ngx_list_part_t *part; ngx_list_part_t *part;
ngx_table_elt_t *h, **ph; ngx_table_elt_t *h, **ph;
ngx_http_header_t *hh; ngx_http_header_t *hh;
@ -255,6 +256,19 @@ header_in(r, key)
hh = ngx_hash_find(&cmcf->headers_in_hash, hash, lowcase_key, len); hh = ngx_hash_find(&cmcf->headers_in_hash, hash, lowcase_key, len);
if (hh) { if (hh) {
if (hh->offset == offsetof(ngx_http_headers_in_t, cookies)) {
sep = ';';
goto multi;
}
#if (NGX_HTTP_X_FORWARDED_FOR)
if (hh->offset == offsetof(ngx_http_headers_in_t, x_forwarded_for)) {
sep = ',';
goto multi;
}
#endif
if (hh->offset) { if (hh->offset) {
ph = (ngx_table_elt_t **) ((char *) &r->headers_in + hh->offset); ph = (ngx_table_elt_t **) ((char *) &r->headers_in + hh->offset);
@ -268,15 +282,19 @@ header_in(r, key)
XSRETURN_UNDEF; XSRETURN_UNDEF;
} }
/* Cookie */ multi:
n = r->headers_in.cookies.nelts; /* Cookie, X-Forwarded-For */
a = (ngx_array_t *) ((char *) &r->headers_in + hh->offset);
n = a->nelts;
if (n == 0) { if (n == 0) {
XSRETURN_UNDEF; XSRETURN_UNDEF;
} }
ph = r->headers_in.cookies.elts; ph = a->elts;
if (n == 1) { if (n == 1) {
ngx_http_perl_set_targ((*ph)->value.data, (*ph)->value.len); ngx_http_perl_set_targ((*ph)->value.data, (*ph)->value.len);
@ -290,12 +308,12 @@ header_in(r, key)
size += ph[i]->value.len + sizeof("; ") - 1; size += ph[i]->value.len + sizeof("; ") - 1;
} }
cookie = ngx_pnalloc(r->pool, size); value = ngx_pnalloc(r->pool, size);
if (cookie == NULL) { if (value == NULL) {
XSRETURN_UNDEF; XSRETURN_UNDEF;
} }
p = cookie; p = value;
for (i = 0; /* void */ ; i++) { for (i = 0; /* void */ ; i++) {
p = ngx_copy(p, ph[i]->value.data, ph[i]->value.len); p = ngx_copy(p, ph[i]->value.data, ph[i]->value.len);
@ -304,10 +322,10 @@ header_in(r, key)
break; break;
} }
*p++ = ';'; *p++ = ' '; *p++ = sep; *p++ = ' ';
} }
ngx_http_perl_set_targ(cookie, size); ngx_http_perl_set_targ(value, size);
goto done; goto done;
} }
@ -419,7 +437,7 @@ request_body(r)
p = ngx_pnalloc(r->pool, len); p = ngx_pnalloc(r->pool, len);
if (p == NULL) { if (p == NULL) {
return XSRETURN_UNDEF; XSRETURN_UNDEF;
} }
data = p; data = p;

2
src/http/ngx_http.h
View file

@ -89,7 +89,7 @@ ngx_int_t ngx_http_add_listen(ngx_conf_t *cf, ngx_http_core_srv_conf_t *cscf,
void ngx_http_init_connection(ngx_connection_t *c); void ngx_http_init_connection(ngx_connection_t *c);
void ngx_http_close_connection(ngx_connection_t *c); void ngx_http_close_connection(ngx_connection_t *c);
#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME #if (NGX_HTTP_SSL && defined SSL_CTRL_SET_TLSEXT_HOSTNAME)
int ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg); int ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg);
#endif #endif

4
src/http/ngx_http_core_module.c
View file

@ -4758,7 +4758,9 @@ ngx_http_core_try_files(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
tf[i].name = value[i + 1]; tf[i].name = value[i + 1];
if (tf[i].name.data[tf[i].name.len - 1] == '/') { if (tf[i].name.len > 0
&& tf[i].name.data[tf[i].name.len - 1] == '/')
{
tf[i].test_dir = 1; tf[i].test_dir = 1;
tf[i].name.len--; tf[i].name.len--;
tf[i].name.data[tf[i].name.len] = '\0'; tf[i].name.data[tf[i].name.len] = '\0';

6
src/http/ngx_http_parse.c
View file

@ -614,6 +614,7 @@ ngx_http_parse_request_line(ngx_http_request_t *r, ngx_buf_t *b)
default: default:
r->space_in_uri = 1; r->space_in_uri = 1;
state = sw_check_uri; state = sw_check_uri;
p--;
break; break;
} }
break; break;
@ -667,6 +668,7 @@ ngx_http_parse_request_line(ngx_http_request_t *r, ngx_buf_t *b)
default: default:
r->space_in_uri = 1; r->space_in_uri = 1;
state = sw_uri; state = sw_uri;
p--;
break; break;
} }
break; break;
@ -2209,6 +2211,10 @@ data:
} }
if (ctx->size < 0 || ctx->length < 0) {
goto invalid;
}
return rc; return rc;
done: done:

31
src/http/ngx_http_request.c
View file

@ -423,20 +423,6 @@ ngx_http_wait_request_handler(ngx_event_t *rev)
if (n == NGX_AGAIN) { if (n == NGX_AGAIN) {
#if (NGX_HAVE_DEFERRED_ACCEPT && defined TCP_DEFER_ACCEPT)
if (c->listening->deferred_accept
#if (NGX_HTTP_SSL)
&& c->ssl == NULL
#endif
)
{
ngx_log_error(NGX_LOG_INFO, c->log, NGX_ETIMEDOUT,
"client timed out in deferred accept");
ngx_http_close_connection(c);
return;
}
#endif
if (!rev->timer_set) { if (!rev->timer_set) {
ngx_add_timer(rev, c->listening->post_accept_timeout); ngx_add_timer(rev, c->listening->post_accept_timeout);
ngx_reusable_connection(c, 1); ngx_reusable_connection(c, 1);
@ -635,15 +621,6 @@ ngx_http_ssl_handshake(ngx_event_t *rev)
if (n == -1) { if (n == -1) {
if (err == NGX_EAGAIN) { if (err == NGX_EAGAIN) {
#if (NGX_HAVE_DEFERRED_ACCEPT && defined TCP_DEFER_ACCEPT)
if (c->listening->deferred_accept) {
ngx_log_error(NGX_LOG_INFO, c->log, NGX_ETIMEDOUT,
"client timed out in deferred accept");
ngx_http_close_connection(c);
return;
}
#endif
if (!rev->timer_set) { if (!rev->timer_set) {
ngx_add_timer(rev, c->listening->post_accept_timeout); ngx_add_timer(rev, c->listening->post_accept_timeout);
ngx_reusable_connection(c, 1); ngx_reusable_connection(c, 1);
@ -1955,7 +1932,7 @@ ngx_http_set_virtual_server(ngx_http_request_t *r, ngx_str_t *host)
hc = r->http_connection; hc = r->http_connection;
#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME #if (NGX_HTTP_SSL && defined SSL_CTRL_SET_TLSEXT_HOSTNAME)
if (hc->ssl_servername) { if (hc->ssl_servername) {
if (hc->ssl_servername->len == host->len if (hc->ssl_servername->len == host->len
@ -1986,7 +1963,7 @@ ngx_http_set_virtual_server(ngx_http_request_t *r, ngx_str_t *host)
return NGX_ERROR; return NGX_ERROR;
} }
#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME #if (NGX_HTTP_SSL && defined SSL_CTRL_SET_TLSEXT_HOSTNAME)
if (hc->ssl_servername) { if (hc->ssl_servername) {
ngx_http_ssl_srv_conf_t *sscf; ngx_http_ssl_srv_conf_t *sscf;
@ -2053,7 +2030,7 @@ ngx_http_find_virtual_server(ngx_connection_t *c,
sn = virtual_names->regex; sn = virtual_names->regex;
#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME #if (NGX_HTTP_SSL && defined SSL_CTRL_SET_TLSEXT_HOSTNAME)
if (r == NULL) { if (r == NULL) {
ngx_http_connection_t *hc; ngx_http_connection_t *hc;
@ -2085,7 +2062,7 @@ ngx_http_find_virtual_server(ngx_connection_t *c,
return NGX_DECLINED; return NGX_DECLINED;
} }
#endif /* SSL_CTRL_SET_TLSEXT_HOSTNAME */ #endif /* NGX_HTTP_SSL && defined SSL_CTRL_SET_TLSEXT_HOSTNAME */
for (i = 0; i < virtual_names->nregex; i++) { for (i = 0; i < virtual_names->nregex; i++) {

2
src/http/ngx_http_request.h
View file

@ -295,7 +295,7 @@ typedef struct {
ngx_http_addr_conf_t *addr_conf; ngx_http_addr_conf_t *addr_conf;
ngx_http_conf_ctx_t *conf_ctx; ngx_http_conf_ctx_t *conf_ctx;
#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME #if (NGX_HTTP_SSL && defined SSL_CTRL_SET_TLSEXT_HOSTNAME)
ngx_str_t *ssl_servername; ngx_str_t *ssl_servername;
#if (NGX_PCRE) #if (NGX_PCRE)
ngx_http_regex_t *ssl_servername_regex; ngx_http_regex_t *ssl_servername_regex;

77
src/http/ngx_http_request_body.c
View file

@ -150,20 +150,27 @@ ngx_http_read_client_request_body(ngx_http_request_t *r,
goto done; goto done;
} }
cl = ngx_chain_get_free_buf(r->pool, &rb->free); if (rb->temp_file->file.offset != 0) {
if (cl == NULL) {
return NGX_HTTP_INTERNAL_SERVER_ERROR; cl = ngx_chain_get_free_buf(r->pool, &rb->free);
if (cl == NULL) {
rc = NGX_HTTP_INTERNAL_SERVER_ERROR;
goto done;
}
b = cl->buf;
ngx_memzero(b, sizeof(ngx_buf_t));
b->in_file = 1;
b->file_last = rb->temp_file->file.offset;
b->file = &rb->temp_file->file;
rb->bufs = cl;
} else {
rb->bufs = NULL;
} }
b = cl->buf;
ngx_memzero(b, sizeof(ngx_buf_t));
b->in_file = 1;
b->file_last = rb->temp_file->file.offset;
b->file = &rb->temp_file->file;
rb->bufs = cl;
} }
post_handler(r); post_handler(r);
@ -374,20 +381,26 @@ ngx_http_do_read_client_request_body(ngx_http_request_t *r)
return NGX_HTTP_INTERNAL_SERVER_ERROR; return NGX_HTTP_INTERNAL_SERVER_ERROR;
} }
cl = ngx_chain_get_free_buf(r->pool, &rb->free); if (rb->temp_file->file.offset != 0) {
if (cl == NULL) {
return NGX_HTTP_INTERNAL_SERVER_ERROR; cl = ngx_chain_get_free_buf(r->pool, &rb->free);
if (cl == NULL) {
return NGX_HTTP_INTERNAL_SERVER_ERROR;
}
b = cl->buf;
ngx_memzero(b, sizeof(ngx_buf_t));
b->in_file = 1;
b->file_last = rb->temp_file->file.offset;
b->file = &rb->temp_file->file;
rb->bufs = cl;
} else {
rb->bufs = NULL;
} }
b = cl->buf;
ngx_memzero(b, sizeof(ngx_buf_t));
b->in_file = 1;
b->file_last = rb->temp_file->file.offset;
b->file = &rb->temp_file->file;
rb->bufs = cl;
} }
r->read_event_handler = ngx_http_block_reading; r->read_event_handler = ngx_http_block_reading;
@ -842,6 +855,10 @@ ngx_http_request_body_length_filter(ngx_http_request_t *r, ngx_chain_t *in)
for (cl = in; cl; cl = cl->next) { for (cl = in; cl; cl = cl->next) {
if (rb->rest == 0) {
break;
}
tl = ngx_chain_get_free_buf(r->pool, &rb->free); tl = ngx_chain_get_free_buf(r->pool, &rb->free);
if (tl == NULL) { if (tl == NULL) {
return NGX_HTTP_INTERNAL_SERVER_ERROR; return NGX_HTTP_INTERNAL_SERVER_ERROR;
@ -936,13 +953,13 @@ ngx_http_request_body_chunked_filter(ngx_http_request_t *r, ngx_chain_t *in)
if (clcf->client_max_body_size if (clcf->client_max_body_size
&& clcf->client_max_body_size && clcf->client_max_body_size
< r->headers_in.content_length_n + rb->chunked->size) - r->headers_in.content_length_n < rb->chunked->size)
{ {
ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, ngx_log_error(NGX_LOG_ERR, r->connection->log, 0,
"client intended to send too large chunked " "client intended to send too large chunked "
"body: %O bytes", "body: %O+%O bytes",
r->headers_in.content_length_n r->headers_in.content_length_n,
+ rb->chunked->size); rb->chunked->size);
r->lingering_close = 1; r->lingering_close = 1;

17
src/http/ngx_http_spdy.c
View file

@ -1465,7 +1465,7 @@ static u_char *
ngx_http_spdy_state_save(ngx_http_spdy_connection_t *sc, ngx_http_spdy_state_save(ngx_http_spdy_connection_t *sc,
u_char *pos, u_char *end, ngx_http_spdy_handler_pt handler) u_char *pos, u_char *end, ngx_http_spdy_handler_pt handler)
{ {
#if (NGX_DEBUG) #if 1
if (end - pos > NGX_SPDY_STATE_BUFFER_SIZE) { if (end - pos > NGX_SPDY_STATE_BUFFER_SIZE) {
ngx_log_error(NGX_LOG_ALERT, sc->connection->log, 0, ngx_log_error(NGX_LOG_ALERT, sc->connection->log, 0,
"spdy state buffer overflow: " "spdy state buffer overflow: "
@ -2529,13 +2529,6 @@ ngx_http_spdy_init_request_body(ngx_http_request_t *r)
return NGX_ERROR; return NGX_ERROR;
} }
if (rb->rest == 0) {
buf->in_file = 1;
buf->file = &tf->file;
} else {
rb->buf = buf;
}
} else { } else {
if (rb->rest == 0) { if (rb->rest == 0) {
@ -2546,10 +2539,10 @@ ngx_http_spdy_init_request_body(ngx_http_request_t *r)
if (buf == NULL) { if (buf == NULL) {
return NGX_ERROR; return NGX_ERROR;
} }
rb->buf = buf;
} }
rb->buf = buf;
rb->bufs = ngx_alloc_chain_link(r->pool); rb->bufs = ngx_alloc_chain_link(r->pool);
if (rb->bufs == NULL) { if (rb->bufs == NULL) {
return NGX_ERROR; return NGX_ERROR;
@ -2633,6 +2626,10 @@ ngx_http_spdy_close_stream(ngx_http_spdy_stream_t *stream, ngx_int_t rc)
} }
} }
if (sc->stream == stream) {
sc->stream = NULL;
}
sscf = ngx_http_get_module_srv_conf(sc->http_connection->conf_ctx, sscf = ngx_http_get_module_srv_conf(sc->http_connection->conf_ctx,
ngx_http_spdy_module); ngx_http_spdy_module);

8
src/http/ngx_http_upstream.c
View file

@ -2456,14 +2456,12 @@ ngx_http_upstream_upgrade(ngx_http_request_t *r, ngx_http_upstream_t *u)
if (u->peer.connection->read->ready if (u->peer.connection->read->ready
|| u->buffer.pos != u->buffer.last) || u->buffer.pos != u->buffer.last)
{ {
ngx_post_event(c->read, &ngx_posted_events);
ngx_http_upstream_process_upgraded(r, 1, 1); ngx_http_upstream_process_upgraded(r, 1, 1);
return;
} }
if (c->read->ready ngx_http_upstream_process_upgraded(r, 0, 1);
|| r->header_in->pos != r->header_in->last)
{
ngx_http_upstream_process_upgraded(r, 0, 1);
}
} }

5
src/http/ngx_http_upstream_round_robin.c
View file

@ -523,7 +523,10 @@ ngx_http_upstream_get_peer(ngx_http_upstream_rr_peer_data_t *rrp)
rrp->tried[n] |= m; rrp->tried[n] |= m;
best->current_weight -= total; best->current_weight -= total;
best->checked = now;
if (now - best->checked > best->fail_timeout) {
best->checked = now;
}
return best; return best;
} }

2
src/http/ngx_http_variables.c
View file

@ -1988,7 +1988,7 @@ ngx_http_variable_request_time(ngx_http_request_t *r,
((tp->sec - r->start_sec) * 1000 + (tp->msec - r->start_msec)); ((tp->sec - r->start_sec) * 1000 + (tp->msec - r->start_msec));
ms = ngx_max(ms, 0); ms = ngx_max(ms, 0);
v->len = ngx_sprintf(p, "%T.%03M", ms / 1000, ms % 1000) - p; v->len = ngx_sprintf(p, "%T.%03M", (time_t) ms / 1000, ms % 1000) - p;
v->valid = 1; v->valid = 1;
v->no_cacheable = 0; v->no_cacheable = 0;
v->not_found = 0; v->not_found = 0;

1
src/mail/ngx_mail_smtp_module.c
View file

@ -277,7 +277,6 @@ ngx_mail_smtp_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
p = ngx_cpymem(p, conf->capability.data, conf->capability.len); p = ngx_cpymem(p, conf->capability.data, conf->capability.len);
p = ngx_cpymem(p, "250 STARTTLS" CRLF, sizeof("250 STARTTLS" CRLF) - 1); p = ngx_cpymem(p, "250 STARTTLS" CRLF, sizeof("250 STARTTLS" CRLF) - 1);
*p++ = CR; *p = LF;
p = conf->starttls_capability.data p = conf->starttls_capability.data
+ (last - conf->capability.data) + 3; + (last - conf->capability.data) + 3;

5
src/mail/ngx_mail_ssl_module.c
View file

@ -235,6 +235,11 @@ ngx_mail_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child)
mode = ""; mode = "";
} }
if (conf->file == NULL) {
conf->file = prev->file;
conf->line = prev->line;
}
if (*mode) { if (*mode) {
if (conf->certificate.len == 0) { if (conf->certificate.len == 0) {

2
src/os/unix/ngx_errno.h
View file

@ -49,10 +49,10 @@ typedef int ngx_err_t;
#define NGX_ECANCELED ECANCELED #define NGX_ECANCELED ECANCELED
#define NGX_EILSEQ EILSEQ #define NGX_EILSEQ EILSEQ
#define NGX_ENOMOREFILES 0 #define NGX_ENOMOREFILES 0
#define NGX_ELOOP ELOOP
#if (NGX_HAVE_OPENAT) #if (NGX_HAVE_OPENAT)
#define NGX_EMLINK EMLINK #define NGX_EMLINK EMLINK
#define NGX_ELOOP ELOOP
#endif #endif
#if (__hpux__) #if (__hpux__)

1
src/os/win32/ngx_errno.h
View file

@ -51,6 +51,7 @@ typedef DWORD ngx_err_t;
#define NGX_EHOSTUNREACH WSAEHOSTUNREACH #define NGX_EHOSTUNREACH WSAEHOSTUNREACH
#define NGX_ENOMOREFILES ERROR_NO_MORE_FILES #define NGX_ENOMOREFILES ERROR_NO_MORE_FILES
#define NGX_EILSEQ ERROR_NO_UNICODE_TRANSLATION #define NGX_EILSEQ ERROR_NO_UNICODE_TRANSLATION
#define NGX_ELOOP 0
#define NGX_EALREADY WSAEALREADY #define NGX_EALREADY WSAEALREADY
#define NGX_EINVAL WSAEINVAL #define NGX_EINVAL WSAEINVAL

2
src/os/win32/ngx_files.c
View file

@ -753,6 +753,8 @@ ngx_win32_check_filename(u_char *name, u_short *u, size_t len)
goto invalid; goto invalid;
} }
ngx_free(lu);
return NGX_OK; return NGX_OK;
invalid: invalid: