Commit Graph

7795 Commits

Author SHA1 Message Date
Maxim Dounin
6ba18bc35e Added default overwrite in error_page 494.
We used to have default error_page overwrite for 495, 496, and 497, so
a configuration like

    error_page 495 /error;

will result in error 400, much like without any error_page configured.

The 494 status code was introduced later (in 3848:de59ad6bf557, nginx 0.9.4),
and relevant changes to ngx_http_core_error_page() were missed, resulting
in inconsistent behaviour of "error_page 494" - with error_page configured
it results in 494 being returned instead of 400.

Reported by Frank Liu,
http://mailman.nginx.org/pipermail/nginx/2020-February/058957.html.
2020-02-28 17:21:18 +03:00
Vladimir Homutov
b20ed8f7f1 Moved all QUIC code into ngx_event_quic.c
Introduced ngx_quic_input() and ngx_quic_output() as interface between
nginx and protocol.  They are the only functions that are exported.

While there, added copyrights.
2020-02-28 16:23:25 +03:00
Sergey Kandaurov
8993721298 Introduced quic_version macro, uint16/uint32 routines ported. 2020-02-28 13:09:52 +03:00
Sergey Kandaurov
ef8b06b186 Cleanup. 2020-02-28 13:09:52 +03:00
Vladimir Homutov
eb464a7feb Generic function for HKDF expansion. 2020-02-26 16:56:47 +03:00
Sergey Kandaurov
a3620d469f QUIC header protection routines, introduced ngx_quic_tls_hp(). 2020-02-28 13:09:52 +03:00
Sergey Kandaurov
56eead6176 AEAD routines, introduced ngx_quic_tls_open()/ngx_quic_tls_seal(). 2020-02-28 13:09:52 +03:00
Sergey Kandaurov
8c90e6f440 Transport parameters stub, to complete handshake. 2020-02-28 13:09:52 +03:00
Sergey Kandaurov
27e5e87784 Introduced ngx_quic_secret_t. 2020-02-28 13:09:52 +03:00
Sergey Kandaurov
aba1768d94 QUIC handshake handler, draft 24 bump. 2020-02-28 13:09:52 +03:00
Sergey Kandaurov
56a80c228a Fixed indentation. 2020-02-28 13:09:52 +03:00
Sergey Kandaurov
0ddf4a2e67 PN-aware AEAD nonce, feeding proper CRYPTO length. 2020-02-28 13:09:52 +03:00
Sergey Kandaurov
ac640641a6 OpenSSL compatibility. 2020-02-28 13:09:51 +03:00
Sergey Kandaurov
812a0b69a0 QUIC add_handshake_data callback, varint routines. 2020-02-28 13:09:51 +03:00
Sergey Kandaurov
b77c2d00b5 QUIC set_encryption_secrets callback. 2020-02-28 13:09:51 +03:00
Sergey Kandaurov
f03fe91663 Server Initial Keys. 2020-02-28 13:09:51 +03:00
Sergey Kandaurov
26ac1c73f0 Initial QUIC support in http. 2020-02-28 13:09:51 +03:00
Sergey Kandaurov
e92cb24f40 HTTP UDP layer, QUIC support autotest. 2020-02-28 13:09:51 +03:00
Vladimir Homutov
84510c9f1f Created the "quic" branch. 2020-03-03 12:14:44 +03:00
Roman Arutyunyan
ba27037a49 Mp4: fixed possible chunk offset overflow.
In "co64" atom chunk start offset is a 64-bit unsigned integer.  When trimming
the "mdat" atom, chunk offsets are casted to off_t values which are typically
64-bit signed integers.  A specially crafted mp4 file with huge chunk offsets
may lead to off_t overflow and result in negative trim boundaries.

The consequences of the overflow are:
- Incorrect Content-Length header value in the response.
- Negative left boundary of the response file buffer holding the trimmed "mdat".
  This leads to pread()/sendfile() errors followed by closing the client
  connection.

On rare systems where off_t is a 32-bit integer, this scenario is also feasible
with the "stco" atom.

The fix is to add checks which make sure data chunks referenced by each track
are within the mp4 file boundaries.  Additionally a few more checks are added to
ensure mp4 file consistency and log errors.
2020-02-26 15:10:46 +03:00
Sergey Kandaurov
f909a7dc33 Disabled connection reuse while in SSL handshake.
During SSL handshake, the connection could be reused in the OCSP stapling
callback, if configured, which subsequently leads to a segmentation fault.
2020-02-27 19:03:21 +03:00
Maxim Dounin
37984f0be1 Disabled duplicate "Host" headers (ticket #1724).
Duplicate "Host" headers were allowed in nginx 0.7.0 (revision b9de93d804ea)
as a workaround for some broken Motorola phones which used to generate
requests with two "Host" headers[1].  It is believed that this workaround
is no longer relevant.

[1] http://mailman.nginx.org/pipermail/nginx-ru/2008-May/017845.html
2020-02-20 16:51:07 +03:00
Maxim Dounin
b4d6b70d7f Removed "Transfer-Encoding: identity" support.
The "identity" transfer coding has been removed in RFC 7230.  It is
believed that it is not used in real life, and at the same time it
provides a potential attack vector.
2020-02-20 16:19:34 +03:00
Maxim Dounin
e64d798edb Disabled multiple Transfer-Encoding headers.
We anyway do not support more than one transfer encoding, so accepting
requests with multiple Transfer-Encoding headers doesn't make sense.
Further, we do not handle multiple headers, and ignore anything but
the first header.

Reported by Filippo Valsorda.
2020-02-20 16:19:29 +03:00
Vladimir Homutov
de5a054b33 Made ngx_http_get_forwarded_addr_internal() non-recursive. 2020-02-11 13:22:44 +03:00
Sergey Kandaurov
16168dcb01 HTTP/2: fixed socket leak with an incomplete HEADERS frame.
A connection could get stuck without timers if a client has partially sent
the HEADERS frame such that it was split on the individual header boundary.
In this case, it cannot be processed without the rest of the HEADERS frame.

The fix is to call ngx_http_v2_state_headers_save() in this case.  Normally,
it would be called from the ngx_http_v2_state_header_block() handler on the
next iteration, when there is not enough data to continue processing.  This
isn't the case if recv_buffer became empty and there's no more data to read.
2020-02-05 16:29:23 +03:00
Sergey Kandaurov
b7ea950a12 Version bump. 2020-02-05 16:29:14 +03:00
Maxim Dounin
9e07862d6e release-1.17.8 tag 2020-01-21 16:39:42 +03:00
Maxim Dounin
369ef46cc3 nginx-1.17.8-RELEASE 2020-01-21 16:39:41 +03:00
Vladimir Homutov
0e3b3b5735 gRPC: variables support in the "grpc_pass" directive. 2020-01-17 12:13:02 +03:00
Daniil Bondarev
60f648f035 HTTP/2: removed ngx_debug_point() call.
With the recent change to prevent frames flood in d4448892a294,
nginx will finalize the connection with NGX_HTTP_V2_INTERNAL_ERROR
whenever flood is detected, causing nginx aborting or stopping if
the debug_points directive is used in nginx config.
2020-01-14 14:20:08 +03:00
Maxim Dounin
fb34316d68 SSL: reworked posted next events again.
Previous change 1ce3f01a4355 incorrectly introduced processing of the
ngx_posted_next_events queue at the end of operation, effectively making
posted next events a nop, since at the end of an event loop iteration
the queue is always empty.  Correct approach is to move events to the
ngx_posted_events queue at an iteration start, as it was done previously.

Further, in some cases the c->read event might be already in the
ngx_posted_events queue, and calling ngx_post_event() with the
ngx_posted_next_events queue won't do anything.  To make sure the event
will be correctly placed into the ngx_posted_next_events queue
we now check if it is already posted.
2019-12-27 19:43:01 +03:00
Maxim Dounin
8ca5cab663 Trailing space removed. 2019-12-27 17:20:25 +03:00
Maxim Dounin
a8c9ce39d0 Version bump. 2019-12-27 17:20:20 +03:00
Maxim Dounin
1554444042 release-1.17.7 tag 2019-12-24 18:00:09 +03:00
Maxim Dounin
e5595b37e3 nginx-1.17.7-RELEASE 2019-12-24 18:00:09 +03:00
Maxim Dounin
24f18aea8c SSL: reworked posted next events.
Introduced in 9d2ad2fb4423 available bytes handling in SSL relied
on connection read handler being overwritten to set the ready flag
and the amount of available bytes.  This approach is, however, does
not work properly when connection read handler is changed, for example,
when switching to a next pipelined request, and can result in unexpected
connection timeouts, see here:

http://mailman.nginx.org/pipermail/nginx-devel/2019-December/012825.html

Fix is to introduce ngx_event_process_posted_next() instead, which
will set ready and available regardless of how event handler is set.
2019-12-24 17:24:59 +03:00
Maxim Dounin
810559665a HTTP/2: introduced separate handler to retry stream close.
When ngx_http_v2_close_stream_handler() is used to retry stream close
after queued frames are sent, client timeouts on the stream can be
logged multiple times and/or in addition to already happened errors.
To resolve this, separate ngx_http_v2_retry_close_stream_handler()
was introduced, which does not try to log timeouts.
2019-12-23 21:25:21 +03:00
Maxim Dounin
49709f75b2 HTTP/2: fixed socket leak with queued frames (ticket #1689).
If a stream is closed with queued frames, it is possible that no further
write events will occur on the stream, leading to the socket leak.
To fix this, the stream's fake connection read handler is set to
ngx_http_v2_close_stream_handler(), to make sure that finalizing the
connection with ngx_http_v2_finalize_connection() will be able to
close the stream regardless of the current number of queued frames.

Additionally, the stream's fake connection fc->error flag is explicitly
set, so ngx_http_v2_handle_stream() will post a write event when queued
frames are finally sent even if stream flow control window is exhausted.
2019-12-23 21:25:17 +03:00
Maxim Dounin
5e5fa2e9e5 Dav: added checks for chunked to body presence conditions.
These checks were missed when chunked support was introduced.  And also
added an explicit error message to ngx_http_dav_copy_move_handler()
(it was missed for some reason, in contrast to DELETE and MKCOL handlers).
2019-12-23 20:39:27 +03:00
Sergey A. Osokin
d97ccc831a Update manpage, sort command line options. 2019-12-23 18:56:21 +03:00
Ruslan Ermilov
c1be55f972 Discard request body when redirecting to a URL via error_page.
Reported by Bert JW Regeer and Francisco Oca Gonzalez.
2019-12-23 15:45:46 +03:00
Ruslan Ermilov
4c031f9a6a Rewrite: disallow empty replacements.
While empty replacements were caught at run-time, parsing code
of the "rewrite" directive expects that a minimum length of the
"replacement" argument is 1.
2019-12-16 15:19:01 +03:00
Ruslan Ermilov
a5895eb502 Tolerate '\0' in URI when mapping URI to path.
If a rewritten URI has the null character, only a part of URI was
copied to a memory buffer allocated for path.  In some setups this
could be exploited to expose uninitialized memory via the Location
header.
2019-12-16 15:19:01 +03:00
Ruslan Ermilov
af8ea176a7 Rewrite: fixed segfault with rewritten URI and "alias".
The "alias" directive cannot be used in the same location where URI
was rewritten.  This has been detected in the "rewrite ... break"
case, but not when the standalone "break" directive was used.

This change also fixes proxy_pass with URI component in a similar
case:

       location /aaa/ {
           rewrite ^ /xxx/yyy;
           break;
           proxy_pass http://localhost:8080/bbb/;
       }

Previously, the "/bbb/yyy" would be sent to a backend instead of
"/xxx/yyy".  And if location's prefix was longer than the rewritten
URI, a segmentation fault might occur.
2019-12-16 15:19:01 +03:00
Ruslan Ermilov
48086f79ad Fixed request finalization in ngx_http_index_handler().
Returning 500 instead of NGX_ERROR is preferable here because
header has not yet been sent to the client.
2019-12-16 15:19:01 +03:00
Ruslan Ermilov
be45a3aa59 Saved some memory allocations.
In configurations when "root" has variables, some modules unnecessarily
allocated memory for the "Location" header value.
2019-12-16 15:19:01 +03:00
Ruslan Ermilov
6dc0c880e5 Dav: fixed Location in successful MKCOL response.
Instead of reducing URI length to not include the terminating '\0'
character in 6ddaac3e0bf7, restore the terminating '/' character.
2019-12-16 15:19:01 +03:00
Maxim Dounin
953f539215 Upstream keepalive: clearing of c->data in cached connections.
Previously, connections returned from keepalive cache had c->data
pointing to the keepalive cache item.  While this shouldn't be a problem
for correct code, as c->data is not expected to be used before it is set,
explicitly clearing it might help to avoid confusion.
2019-12-05 19:38:06 +03:00
Maxim Dounin
d77ec5493c Version bump. 2019-12-05 19:22:48 +03:00