Commit Graph

114 Commits

Author SHA1 Message Date
Maxim Dounin
cba23f88ec Fixed handling of non-null-terminated unix sockets.
At least FreeBSD, macOS, NetBSD, and OpenBSD can return unix sockets
with non-null-terminated sun_path.  Additionally, the address may become
non-null-terminated if it does not fit into the buffer provided and was
truncated (may happen on macOS, NetBSD, and Solaris, which allow unix socket
addresess larger than struct sockaddr_un).  As such, ngx_sock_ntop() might
overread the sockaddr provided, as it used "%s" format and thus assumed
null-terminated string.

To fix this, the ngx_strnlen() function was introduced, and it is now used
to calculate correct length of sun_path.
2017-10-04 21:19:38 +03:00
Valentin Bartenev
9197a3c874 Parenthesized ASCII-related calculations.
This also fixes potential undefined behaviour in the range and slice filter
modules, caused by local overflows of signed integers in expressions.
2017-07-17 17:23:51 +03:00
Valentin Bartenev
97cb30370f Core: improved JSON escaping.
Two-character representations are now used for \b, \f, \n, \r, and \t.
2017-04-12 22:47:57 +03:00
Sergey Kandaurov
6299f5e914 Avoid left-shifting integers into the sign bit, which is undefined.
Found with UndefinedBehaviorSanitizer.
2016-07-07 21:02:28 +03:00
Maxim Dounin
6994593478 Style: NGX_PTR_SIZE replaced with sizeof(void *).
The NGX_PTR_SIZE macro is only needed in preprocessor directives where
it's not possible to use sizeof().
2015-12-03 20:06:45 +03:00
Ruslan Ermilov
8167ce8537 Core: overflow detection in number parsing functions. 2015-03-17 00:26:15 +03:00
Igor Sysoev
415c8ec4b4 A bounds check of %N format on Windows.
Thanks to Joe Bialek, Adam Zabrocki and Microsoft Vulnerability Research.
2015-01-27 15:38:15 +03:00
Valentin Bartenev
5453f0afe6 Autoindex: implemented JSON output format. 2014-12-12 20:25:35 +03:00
Piotr Sikora
3ba8f2f73d Core: use uppercase hexadecimal digits for percent-encoding.
RFC3986 says that, for consistency, URI producers and normalizers
should use uppercase hexadecimal digits for all percent-encodings.

This is also what modern web browsers and other tools use.

Using lowercase hexadecimal digits makes it harder to interact with
those tools in case when use of the percent-encoded URI is required,
for example when $request_uri is part of the cache key.

Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2014-06-26 23:39:23 -07:00
Maxim Dounin
7ac48da41d Core: added ngx_encode_base64url(). 2014-02-04 04:59:21 +04:00
Maxim Dounin
e11584164f Added ngx_filename_cmp() with "/" sorted to the left.
This patch fixes incorrect handling of auto redirect in configurations
like:

    location /0  { }
    location /a- { }
    location /a/ { proxy_pass ... }

With previously used sorting, this resulted in the following locations
tree (as "-" is less than "/"):

        "/a-"
    "/0"    "/a/"

and a request to "/a" didn't match "/a/" with auto_redirect, as it
didn't traverse relevant tree node during lookup (it tested "/a-",
then "/0", and then falled back to null location).

To preserve locale use for non-ASCII characters on case-insensetive
systems, libc's tolower() used.
2013-09-23 19:37:13 +04:00
Maxim Dounin
5b37852323 Win32: Open Watcom C compatibility fixes.
Precompiled headers are disabled as they lead to internal compiler errors
with long configure lines.  Couple of false positive warnings silenced.
Various win32 typedefs are adjusted to work with Open Watcom C 1.9 headers.

With this patch, it's now again possible to compile nginx using owc386,
with options we normally compile on win32 minus ipv6 and ssl.
2013-09-04 20:48:22 +04:00
Maxim Dounin
d053bacb9c Added "const" to ngx_memcpy() with NGX_MEMCPY_LIMIT defined.
This fixes warning produced during compilation of the ngx_http_geoip_module
due to const qualifier being discarded.
2012-08-03 09:07:30 +00:00
Igor Sysoev
c7bb66a9a3 Fix of "%f" format handling.
ngx_sprintf("%.2f", 0.999) incorrectly resulted in "0.100" instead of "1.00".
2012-04-23 11:11:32 +00:00
Maxim Konovalov
f8d59e33f3 Copyright updated. 2012-01-18 15:07:43 +00:00
Maxim Dounin
1b9b19d7e2 Added escaping of double quotes in ngx_escape_html().
Patch by Zaur Abasmirzoev.
2011-11-25 16:36:02 +00:00
Maxim Dounin
ba76a89d4b Fixed utf8 decode (ticket #25).
Patch by Alexey Kuts.
2011-10-13 13:56:41 +00:00
Maxim Dounin
6226fe3512 Autoindex: escape '?' in file names.
For files with '?' in their names autoindex generated links with '?' not
escaped.  This resulted in effectively truncated links as '?' indicates
query string start.

This is an updated version of the patch originally posted at [1].  It
introduces generic NGX_ESCAPE_URI_COMPONENT which escapes everything but
unreserved characters as per RFC 3986.  This approach also renders unneeded
special colon processing (as colon is percent-encoded now), it's dropped
accordingly.

[1] http://nginx.org/pipermail/nginx-devel/2010-February/000112.html

Reported by Konstantin Leonov.
2011-10-11 17:56:51 +00:00
Ruslan Ermilov
a823c550e4 Replaced "can not" with "cannot" and "could not" in a bunch of places.
Fixed nearby grammar errors.
2011-09-19 14:48:29 +00:00
Igor Sysoev
94e9aaa8ad new ngx_http_secure_link_module with secure_link, secure_link_md5, and
secure_link_expires
2010-09-02 14:37:16 +00:00
Igor Sysoev
0e0e0af51b escape ";" in arguments 2010-07-30 13:25:19 +00:00
Igor Sysoev
0923d08148 change ngx_http_variable_value_node_t to more generic ngx_str_node_t 2010-06-23 15:31:33 +00:00
Igor Sysoev
328df7a5cc use ngx_min() and ngx_max() 2010-05-14 09:55:33 +00:00
Igor Sysoev
d2b687cf3f ngx_atofp() 2010-05-14 09:01:30 +00:00
Igor Sysoev
50af406144 fix rounding issues in %f format 2010-05-12 13:13:11 +00:00
Igor Sysoev
503b9716c5 use double in %f format to allow %.15f precision 2010-05-12 13:12:31 +00:00
Igor Sysoev
170a54f326 escape ampersand in argument while rewrite 2010-04-01 12:45:59 +00:00
Igor Sysoev
d8be48a546 fix ngx_utf8_cpystrn(): it did not fully copy utf-8 string 2010-01-11 13:39:24 +00:00
Igor Sysoev
612ecb7674 optimize some cycles:
*) delete surplus variable;
*) on i386/amd64 "while (n) / n--" is smaller than "while (n--)",
   because the platforms have no postfix operations
2009-11-02 17:12:09 +00:00
Igor Sysoev
96e36ef252 If .domain.com, .sub.domain.com, and .domain-some.com were defined,
then .sub.domain.com was matched by .domain.com: wildcard names hash
was built incorrectly due to sorting order issue of "." vs "-".
They were sorted as
    com.domain  com.domain-some  com.domain.sub
while they should be sorted as
    com.domain  com.domain.sub   com.domain-some
for correct hash building
2009-09-12 09:28:37 +00:00
Igor Sysoev
e0f1d0afcc style fix 2009-09-11 13:57:50 +00:00
Igor Sysoev
9262c6138e fix typo 2009-08-26 15:03:53 +00:00
Igor Sysoev
8e5f0acbc2 change surplus for() to while() 2009-06-05 12:33:49 +00:00
Igor Sysoev
4e1fe03e03 ngx_vslprintf(), ngx_slprintf() 2009-04-27 12:51:33 +00:00
Igor Sysoev
d5ba36fdad backout r2677 and fix ngx_strlcasestrn() again 2009-04-06 11:42:42 +00:00
Igor Sysoev
f3aed53c9d fix ngx_strlcasestrn() 2009-04-06 10:38:40 +00:00
Igor Sysoev
a514d68bfb ngx_strlcasestrn() 2009-04-04 17:31:54 +00:00
Igor Sysoev
74b7e5fadd %f format 2008-11-10 15:20:59 +00:00
Igor Sysoev
777b019c73 ngx_strlow() 2008-08-04 10:07:00 +00:00
Igor Sysoev
a089857143 rename ngx_utf_...() to ngx_utf8_...() 2008-07-29 14:41:34 +00:00
Igor Sysoev
96eaa05fd2 fix utf-8 names in autoindex 2008-07-25 14:29:05 +00:00
Igor Sysoev
7f6b2ffc60 *) back out r2040
*) refactor ngx_palloc()
*) introduce ngx_pnalloc()
*) additional pool blocks have smaller header
2008-06-17 15:00:30 +00:00
Igor Sysoev
de8ec1efc8 use ngx_int_t in ngx_sort() callback 2008-03-24 13:04:02 +00:00
Igor Sysoev
8634118bc8 use dynamically allocated buffer in ngx_sort() 2008-03-23 19:58:54 +00:00
Igor Sysoev
16315761db limit string length 2008-01-24 15:18:58 +00:00
Igor Sysoev
fb42465646 use correct type cast 2008-01-24 15:18:17 +00:00
Igor Sysoev
0bd32b7569 allow zero length in %*s 2008-01-22 15:13:01 +00:00
Igor Sysoev
79d9a042a2 %*s format 2007-12-24 17:05:16 +00:00
Igor Sysoev
a03fa3666f replace ngx_md5_text() with ngx_hex_dump() 2007-12-17 21:06:17 +00:00
Igor Sysoev
cc5484fab1 do not encode already encoded characters in msie_refresh 2007-11-09 13:17:58 +00:00