A configuration with a named location inside a zero-length prefix
or regex location used to trigger a segmentation fault, as
ngx_http_core_location() failed to properly detect if a nested location
was created. Example configuration to reproduce the problem:
location "" {
location @foo {}
}
Fix is to not rely on a parent location name length, but rather check
command type we are currently parsing.
Identical fix is also applied to ngx_http_rewrite_if(), which used to
incorrectly assume the "if" directive is on server{} level in such
locations.
Reported by Markus Linnala.
Found with afl-fuzz.
Test case:
location / {
error_page 405 /nope;
return 405;
}
location /nope {
return 200;
}
This is expected to return 405 with empty body, but in 0.8.42+ will return
builtin 405 error page as well (though not counted in Content-Length, thus
breaking protocol).
Fix is to use status provided by rewrite script execution in case
it's less than NGX_HTTP_BAD_REQUEST even if r->error_status set. This
check is in line with one in ngx_http_script_return_code().
Note that this patch also changes behaviour for "return 302 ..." and
"rewrite ... redirect" used as error handler. E.g.
location / {
error_page 405 /redirect;
return 405;
}
location /redirect {
rewrite ^ http://example.com/;
}
will actually return redirect to "http://example.com/" instead of builtin 405
error page with meaningless Location header. This looks like correct change
and it's in line with what happens on e.g. directory redirects in error
handlers.
*) Change in internal API: the HTTP modules initialization was moved
from the init module phase to the HTTP postconfiguration phase.
*) Change: now the request body is not read beforehand for the
ngx_http_perl_module: it's required to start the reading using the
$r->has_request_body method.
*) Feature: the ngx_http_perl_module supports the DECLINED return code.
*) Feature: the ngx_http_dav_module supports the incoming "Date" header
line for the PUT method.
*) Feature: the "ssi" directive is available inside the "if" block.
*) Bugfix: a segmentation fault occurred if there was an "index"
directive with variables and the first index name was without
variables; the bug had appeared in 0.1.29.
*) Feature: the "dav_access" directive.
*) Feature: the "if" directive supports the "-d", "!-d", "-e", "!-e",
"-x", and "!-x" operators.
*) Bugfix: a segmentation fault occurred if a request returned a
redirect and some sent to client header lines were logged in the
access log.
*) Feature: the "stub" parameter in the "include" SSI command.
*) Feature: the "block" SSI command.
*) Feature: the unicode2nginx script was added to contrib.
*) Bugfix: if a "root" was specified by variable only, then the root
was relative to a server prefix.
*) Bugfix: if the request contained "//" or "/./" and escaped symbols
after them, then the proxied request was sent unescaped.
*) Bugfix: the $r->headers_in("Cookie") of the ngx_http_perl_module now
returns all "Cookie" header lines.
*) Bugfix: a segmentation fault occurred if
"client_body_in_file_only on" was used and nginx switched to a next
upstream.
*) Bugfix: on some condition while reconfiguration character codes
inside the "charset_map" may be treated invalid; the bug had
appeared in 0.3.50.
*) Change: the "add_header" directive adds the string to 204, 301, and
302 responses.
*) Feature: the "server" directive in the "upstream" context supports
the "weight" parameter.
*) Feature: the "server_name" directive supports the "*" wildcard.
*) Feature: nginx supports the request body size more than 2G.
*) Bugfix: if a client was successfully authorized using "satisfy_any
on", then anyway the message "access forbidden by rule" was written
in the log.
*) Bugfix: the "PUT" method may erroneously not create a file and
return the 409 code.
*) Bugfix: if the IMAP/POP3 backend returned an error, then nginx
continued proxying anyway.
*) Feature: the "bind" option of the "listen" directive in IMAP/POP3
proxy.
*) Bugfix: if the same capture in the "rewrite" directive was used more
then once.
*) Bugfix: the $sent_http_content_type, $sent_http_content_length,
$sent_http_last_modified, $sent_http_connection,
$sent_http_keep_alive, and $sent_http_transfer_encoding variables
were not written to access log.
*) Bugfix: the $sent_http_cache_control returned value of the single
"Cache-Control" response header line.
*) Feature: the ngx_http_dav_module supports the MKCOL method.
*) Feature: the "create_full_put_path" directive.
*) Feature: the "$limit_rate" variable.
*) Feature: the "uninitialized_variable_warn" directive; the logging
level of the "uninitialized variable" message was lowered from
"alert" to "warn".
*) Feature: the "override_charset" directive.
*) Change: now if the unknown variable is used in the "echo" and "if
expr='$name'" SSI-commands, then the "unknown variable" message is
not logged.
*) Bugfix: the active connection counter increased on the exceeding of
the connection limit specified by the "worker_connections"
directive; the bug had appeared in 0.2.0.
*) Bugfix: the limit rate might not work on some condition; the bug had
appeared in 0.3.38.
*) Feature: the "limit_except" directive.
*) Feature: the "if" directive supports the "!~", "!~*", "-f", and
"!-f" operators.
*) Feature: the ngx_http_perl_module supports the $r->request_body
method.
*) Bugfix: in the ngx_http_addition_filter_module.
*) Change: the "valid_referers" directive and the "$invalid_referer"
variable were moved to the new ngx_http_referer_module from the
ngx_http_rewrite_module.
*) Change: the "$apache_bytes_sent" variable name was changed to
"$body_bytes_sent".
*) Feature: the "$sent_http_..." variables.
*) Feature: the "if" directive supports the "=" and "!=" operations.
*) Feature: the "proxy_pass" directive supports the HTTPS protocol.
*) Feature: the "proxy_set_body" directive.
*) Feature: the "post_action" directive.
*) Feature: the ngx_http_empty_gif_module.
*) Feature: the "worker_cpu_affinity" directive for Linux.
*) Bugfix: the "rewrite" directive did not unescape URI part in
redirect, now it is unescaped except the %00-%25 and %7F-%FF
characters.
*) Bugfix: nginx could not be built by the icc 9.0 compiler.
*) Bugfix: if the SSI was enabled for zero size static file, then the
chunked response was encoded incorrectly.
*) Security: nginx now checks URI got from a backend in
"X-Accel-Redirect" header line or in SSI file for the "/../" paths
and zeroes.
*) Change: nginx now does not treat the empty user name in the
"Authorization" header line as valid one.
*) Feature: the "ssl_session_timeout" directives of the
ngx_http_ssl_module and ngx_imap_ssl_module.
*) Feature: the "auth_http_header" directive of the
ngx_imap_auth_http_module.
*) Feature: the "add_header" directive.
*) Feature: the ngx_http_realip_module.
*) Feature: the new variables to use in the "log_format" directive:
$bytes_sent, $apache_bytes_sent, $status, $time_gmt, $uri,
$request_time, $request_length, $upstream_status,
$upstream_response_time, $gzip_ratio, $uid_got, $uid_set,
$connection, $pipe, and $msec. The parameters in the "%name" form
will be canceled soon.
*) Change: now the false variable values in the "if" directive are the
empty string "" and string starting with "0".
*) Bugfix: while using proxied or FastCGI-server nginx may leave
connections and temporary files with client requests in open state.
*) Bugfix: the worker processes did not flush the buffered logs on
graceful exit.
*) Bugfix: if the request URI was changes by the "rewrite" directive
and the request was proxied in location given by regular expression,
then the incorrect request was transferred to backend; the bug had
appeared in 0.2.6.
*) Bugfix: the "expires" directive did not remove the previous
"Expires" header.
*) Bugfix: nginx may stop to accept requests if the "rtsig" method and
several worker processes were used.
*) Bugfix: the "\"" and "\'" escape symbols were incorrectly handled in
SSI commands.
*) Bugfix: if the response was ended just after the SSI command and
gzipping was used, then the response did not transferred complete or
did not transferred at all.
*) Change: while using load-balancing the time before the failed
backend retry was decreased from 60 to 10 seconds.
*) Change: the "proxy_pass_unparsed_uri" was canceled, the original URI
now passed, if the URI part is omitted in "proxy_pass" directive.
*) Feature: the "error_page" directive supports redirects and allows
more flexible to change an error code.
*) Change: the charset in the "Content-Type" header line now is ignored
in proxied subrequests.
*) Bugfix: if the URI was changed in the "if" block and request did not
found new configuration, then the ngx_http_rewrite_module rules ran
again.
*) Bugfix: if the "set" directive set the ngx_http_geo_module variable
in some configuration part, the this variable was not available in
other configuration parts and the "using uninitialized variable"
error was occurred; the bug had appeared in 0.2.2.
*) Change: the "ssl_engine" directive was canceled in the
ngx_http_ssl_module and now is introduced at global level.
*) Bugfix: the responses with SSI subrequests did not transferred via
SSL connection.
*) Various bug fixes in the IMAP/POP3 proxy.
*) Feature: the "limit_rate" directive is supported in in proxy and
FastCGI mode.
*) Feature: the "X-Accel-Limit-Rate" response header line is supported
in proxy and FastCGI mode.
*) Feature: the "break" directive.
*) Feature: the "log_not_found" directive.
*) Bugfix: the response status code was not changed when request was
redirected by the ""X-Accel-Redirect" header line.
*) Bugfix: the variables set by the "set" directive could not be used
in SSI.
*) Bugfix: the segmentation fault may occurred if the SSI page has more
than one remote subrequest.
*) Bugfix: nginx treated the backend response as invalid if the status
line in the header was transferred in two packets; the bug had
appeared in 0.1.29.
*) Feature: the "ssi_types" directive.
*) Feature: the "autoindex_exact_size" directive.
*) Bugfix: the ngx_http_autoindex_module did not support the long file
names in UTF-8.
*) Feature: the IMAP/POP3 proxy.
*) Bugfix: the worker process may got caught in an endless loop if the
big response part were include by SSI.
*) Bugfix: the variables set by the "set" directive were not available
in SSI.
*) Feature: the "autoindex_localtime" directive.
*) Bugfix: the empty value of the "proxy_set_header" directive forbids
the client request header line passing.
*) Bugfix: nginx could not be built with the --without-pcre parameter;
the bug had appeared in 0.1.29.
*) Bugfix: 3, 4, 7, and 8 the "proxy_set_header" directives in one
level cause the bus fault on start up.
*) Bugfix: the HTTP protocol was specified in the HTTPS redirects.
*) Bugfix: if the "rewrite" directive used the captures inside the "if"
directive, then the 500 error code was returned.
*) Bugfix: the arguments were omitted in the redirects, issued by the
"rewrite" directive; the bug had appeared in 0.1.29.
*) Feature: the "if" directive supports the captures in regular
expressions.
*) Feature: the "set" directive supports the variables and the captures
of regular expressions.
*) Feature: the "X-Accel-Redirect" response header line is supported in
proxy and FastCGI mode.
*) Feature: the ngx_http_ssi_module supports "include virtual" command.
*) Feature: the ngx_http_ssi_module supports the condition command like
'if expr="$NAME"' and "else" and "endif" commands. Only one nested
level is supported.
*) Feature: the ngx_http_ssi_module supports the DATE_LOCAL and
DATE_GMT variables and "config timefmt" command.
*) Feature: the "ssi_ignore_recycled_buffers" directive.
*) Bugfix: the "echo" command did not show the default value for the
empty QUERY_STRING variable.
*) Change: the ngx_http_proxy_module was rewritten.
*) Feature: the "proxy_redirect", "proxy_pass_request_headers",
"proxy_pass_request_body", and "proxy_method" directives.
*) Feature: the "proxy_set_header" directive. The "proxy_x_var" was
canceled and must be replaced with the proxy_set_header directive.
*) Change: the "proxy_preserve_host" is canceled and must be replaced
with the "proxy_set_header Host $host" and the "proxy_redirect off"
directives, the "proxy_set_header Host $host:$proxy_port" directive
and the appropriate proxy_redirect directives.
*) Change: the "proxy_set_x_real_ip" is canceled and must be replaced
with the "proxy_set_header X-Real-IP $remote_addr" directive.
*) Change: the "proxy_add_x_forwarded_for" is canceled and must be
replaced with
the "proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for"
directive.
*) Change: the "proxy_set_x_url" is canceled and must be replaced with
the "proxy_set_header X-URL http://$host:$server_port$request_uri"
directive.
*) Feature: the "fastcgi_param" directive.
*) Change: the "fastcgi_root", "fastcgi_set_var" and "fastcgi_params"
directive are canceled and must be replaced with the fastcgi_param
directives.
*) Feature: the "index" directive can use the variables.
*) Feature: the "index" directive can be used at http and server levels.
*) Change: the last index only in the "index" directive can be absolute.
*) Feature: the "rewrite" directive can use the variables.
*) Feature: the "internal" directive.
*) Feature: the CONTENT_LENGTH, CONTENT_TYPE, REMOTE_PORT, SERVER_ADDR,
SERVER_PORT, SERVER_PROTOCOL, DOCUMENT_ROOT, SERVER_NAME,
REQUEST_METHOD, REQUEST_URI, and REMOTE_USER variables.
*) Change: nginx now passes the invalid lines in a client request
headers or a backend response header.
*) Bugfix: if the backend did not transfer response for a long time and
the "send_timeout" was less than "proxy_read_timeout", then nginx
returned the 408 response.
*) Bugfix: the segmentation fault was occurred if the backend sent an
invalid line in response header; the bug had appeared in 0.1.26.
*) Bugfix: the segmentation fault may occurred in FastCGI fault
tolerance configuration.
*) Bugfix: the "expires" directive did not remove the previous
"Expires" and "Cache-Control" headers.
*) Bugfix: nginx did not take into account trailing dot in "Host"
header line.
*) Bugfix: the ngx_http_auth_module did not work under Linux.
*) Bugfix: the rewrite directive worked incorrectly, if the arguments
were in a request.
*) Bugfix: nginx could not be built on MacOS X.
*) Feature: the "blocked" parameter of the "valid_referers" directive.
*) Change: the errors while handling the request header now logged at
"info" level. The server name and the "Host" and "Referer" header
lines also logged.
*) Change: the "Host" header line is also logged in error log.
*) Feature: the proxy_pass_unparsed_uri directive. The special handling
of the "://" symbols in URI, appeared in 0.1.11 version, now is
canceled.
*) Bugfix: nginx could not be built on FreeBSD and Linux, if the
--without-ngx_http_auth_basic_module configuration parameter was
used.
*) Bugfix: nginx did run on Linux parisc.
*) Feature: nginx now does not start under FreeBSD if the sysctl
kern.ipc.somaxconn value is too big.
*) Bugfix: if a request was internally redirected by the
ngx_http_index_module module to the ngx_http_proxy_module or
ngx_http_fastcgi_module modules, then the index file was not closed
after request completion.
*) Feature: the "proxy_pass" can be used in location with regular
expression.
*) Feature: the ngx_http_rewrite_filter_module module supports the
condition like "if ($HTTP_USER_AGENT ~ MSIE)".
*) Bugfix: nginx started too slow if the large number of addresses and
text values were used in the "geo" directive.
*) Change: a variable name must be declared as "$name" in the "geo"
directive. The previous variant without "$" is still supported, but
will be removed soon.
*) Feature: the "%{VARIABLE}v" logging parameter.
*) Feature: the "set $name value" directive.
*) Bugfix: gcc 4.0 compatibility.
*) Feature: the --with-openssl-opt=OPTIONS autoconfiguration directive.
