Commit Graph

37 Commits

Author SHA1 Message Date
Maxim Dounin
5cc1fb1d5b Autoindex: escape html in file names. 2011-10-11 17:57:41 +00:00
Maxim Dounin
6226fe3512 Autoindex: escape '?' in file names.
For files with '?' in their names autoindex generated links with '?' not
escaped.  This resulted in effectively truncated links as '?' indicates
query string start.

This is an updated version of the patch originally posted at [1].  It
introduces generic NGX_ESCAPE_URI_COMPONENT which escapes everything but
unreserved characters as per RFC 3986.  This approach also renders unneeded
special colon processing (as colon is percent-encoded now), it's dropped
accordingly.

[1] http://nginx.org/pipermail/nginx-devel/2010-February/000112.html

Reported by Konstantin Leonov.
2011-10-11 17:56:51 +00:00
Igor Sysoev
de0b1d6f12 remove r->zero_in_uri 2010-05-24 12:35:10 +00:00
Igor Sysoev
05b1a8f1e3 ngx_str_set() and ngx_str_null() 2010-05-14 09:56:37 +00:00
Igor Sysoev
260c4321d7 return NULL instead of NGX_CONF_ERROR on a create conf failure 2009-06-02 16:09:44 +00:00
Igor Sysoev
d1d8cd587b refactor ngx_http_charset_header_filter() 2009-05-25 15:57:43 +00:00
Igor Sysoev
7f20c49059 fix colon in file name for ngx_http_autoindex_module 2009-05-17 19:01:23 +00:00
Igor Sysoev
d7fe640672 remove TODO comments 2009-04-18 19:39:06 +00:00
Igor Sysoev
51fad316cd skip protected symlinks in autoindex 2008-12-08 14:05:21 +00:00
Igor Sysoev
a089857143 rename ngx_utf_...() to ngx_utf8_...() 2008-07-29 14:41:34 +00:00
Igor Sysoev
96eaa05fd2 fix utf-8 names in autoindex 2008-07-25 14:29:05 +00:00
Igor Sysoev
7f6b2ffc60 *) back out r2040
*) refactor ngx_palloc()
*) introduce ngx_pnalloc()
*) additional pool blocks have smaller header
2008-06-17 15:00:30 +00:00
Igor Sysoev
4c89c09ad8 fix autoindex for "alias /" 2007-11-08 15:21:54 +00:00
Igor Sysoev
34ebeb60eb fix file leak for HEAD requests 2007-09-22 17:56:05 +00:00
Igor Sysoev
81188729e6 charset could not be set for ngx_http_autoindex_module responses 2006-11-13 20:53:37 +00:00
Igor Sysoev
0e5f86d871 remove r->root_length 2006-10-12 13:36:54 +00:00
Igor Sysoev
da173abde0 nginx-0.4.0-RELEASE import
*) Change in internal API: the HTTP modules initialization was moved
       from the init module phase to the HTTP postconfiguration phase.

    *) Change: now the request body is not read beforehand for the
       ngx_http_perl_module: it's required to start the reading using the
       $r->has_request_body method.

    *) Feature: the ngx_http_perl_module supports the DECLINED return code.

    *) Feature: the ngx_http_dav_module supports the incoming "Date" header
       line for the PUT method.

    *) Feature: the "ssi" directive is available inside the "if" block.

    *) Bugfix: a segmentation fault occurred if there was an "index"
       directive with variables and the first index name was without
       variables; the bug had appeared in 0.1.29.
2006-08-30 10:39:17 +00:00
Igor Sysoev
8f1255877c nginx-0.3.55-RELEASE import
*) Feature: the "stub" parameter in the "include" SSI command.

    *) Feature: the "block" SSI command.

    *) Feature: the unicode2nginx script was added to contrib.

    *) Bugfix: if a "root" was specified by variable only, then the root
       was relative to a server prefix.

    *) Bugfix: if the request contained "//" or "/./" and escaped symbols
       after them, then the proxied request was sent unescaped.

    *) Bugfix: the $r->headers_in("Cookie") of the ngx_http_perl_module now
       returns all "Cookie" header lines.

    *) Bugfix: a segmentation fault occurred if
       "client_body_in_file_only on" was used and nginx switched to a next
       upstream.

    *) Bugfix: on some condition while reconfiguration character codes
       inside the "charset_map" may be treated invalid; the bug had
       appeared in 0.3.50.
2006-07-28 15:16:17 +00:00
Igor Sysoev
ef809b86c3 nginx-0.3.50-RELEASE import
*) Change: the "proxy_redirect_errors" and "fastcgi_redirect_errors"
       directives was renamed to the "proxy_intercept_errors" and
       "fastcgi_intercept_errors" directives.

    *) Feature: the ngx_http_charset_module supports the recoding from the
       single byte encodings to the UTF-8 encoding and back.

    *) Feature: the "X-Accel-Charset" response header line is supported in
       proxy and FastCGI mode.

    *) Bugfix: the "\" escape symbol in the "\"" and "\'" pairs in the SSI
       command was removed only if the command also has the "$" symbol.

    *) Bugfix: the "<!--" string might be added on some conditions in the
       SSI after inclusion.

    *) Bugfix: if the "Content-Length: 0" header line was in response, then
       in nonbuffered proxying mode the client connection was not closed.
2006-06-28 16:00:26 +00:00
Igor Sysoev
ac72bd17d1 nginx-0.3.44-RELEASE import
*) Feature: the "wait" parameter in the "include" SSI command.

    *) Feature: the Ukrainian and Byelorussian characters were added to
       koi-win conversion table.

    *) Bugfix: in the SSI.
2006-05-04 15:32:46 +00:00
Igor Sysoev
7bdb720d6a nginx-0.3.40-RELEASE import
*) Feature: the ngx_http_dav_module supports the MKCOL method.

    *) Feature: the "create_full_put_path" directive.

    *) Feature: the "$limit_rate" variable.
2006-04-19 15:30:56 +00:00
Igor Sysoev
df3254aa49 nginx-0.3.20-RELEASE import
*) Bugfix: in SSI handling.

    *) Bugfix: the ngx_http_memcached_module did not support the keys in
       the "/usr?args" form.
2006-01-11 15:26:57 +00:00
Igor Sysoev
0e5dc5cff6 nginx-0.3.10-RELEASE import
*) Change: the "valid_referers" directive and the "$invalid_referer"
       variable were moved to the new ngx_http_referer_module from the
       ngx_http_rewrite_module.

    *) Change: the "$apache_bytes_sent" variable name was changed to
       "$body_bytes_sent".

    *) Feature: the "$sent_http_..." variables.

    *) Feature: the "if" directive supports the "=" and "!=" operations.

    *) Feature: the "proxy_pass" directive supports the HTTPS protocol.

    *) Feature: the "proxy_set_body" directive.

    *) Feature: the "post_action" directive.

    *) Feature: the ngx_http_empty_gif_module.

    *) Feature: the "worker_cpu_affinity" directive for Linux.

    *) Bugfix: the "rewrite" directive did not unescape URI part in
       redirect, now it is unescaped except the %00-%25 and %7F-%FF
       characters.

    *) Bugfix: nginx could not be built by the icc 9.0 compiler.

    *) Bugfix: if the SSI was enabled for zero size static file, then the
       chunked response was encoded incorrectly.
2005-11-15 13:30:52 +00:00
Igor Sysoev
c2068d08f0 nginx-0.3.3-RELEASE import
*) Change: the "bl" and "af" parameters of the "listen" directive was
       renamed to the "backlog" and "accept_filter".

    *) Feature: the "rcvbuf" and "sndbuf" parameters of the "listen"
       directive.

    *) Change: the "$msec" log parameter does not require now the
       additional the gettimeofday() system call.

    *) Feature: the -t switch now tests the "listen" directives.

    *) Bugfix: if the invalid address was specified in the "listen"
       directive, then after the -HUP signal nginx left an open socket in
       the CLOSED state.

    *) Bugfix: the mime type may be incorrectly set to default value for
       index file with variable in the name; the bug had appeared in 0.3.0.

    *) Feature: the "timer_resolution" directive.

    *) Feature: the millisecond "$upstream_response_time" log parameter.

    *) Bugfix: a temporary file with client request body now is removed
       just after the response header was transferred to a client.

    *) Bugfix: OpenSSL 0.9.6 compatibility.

    *) Bugfix: the SSL certificate and key file paths could not be relative.

    *) Bugfix: the "ssl_prefer_server_ciphers" directive did not work in
       the ngx_imap_ssl_module.

    *) Bugfix: the "ssl_protocols" directive allowed to specify the single
       protocol only.
2005-10-19 12:33:58 +00:00
Igor Sysoev
208eed2210 nginx-0.3.0-RELEASE import
*) Change: the 10-days live time limit of worker process was
       eliminated. The limit was introduced because of millisecond timers
       overflow.
2005-10-07 13:30:52 +00:00
Igor Sysoev
f6e1fe3f28 nginx-0.2.5-RELEASE import
*) Change: the duplicate value of the ngx_http_geo_module variable now
       causes the warning and changes old value.

    *) Feature: the ngx_http_ssi_module supports the "set" command.

    *) Feature: the ngx_http_ssi_module supports the "file" parameter in
       the "include" command.

    *) Feature: the ngx_http_ssi_module supports the variable value
       substitutions in expressions of the "if" command.
2005-10-04 10:38:53 +00:00
Igor Sysoev
9fa5a823c4 nginx-0.2.2-RELEASE import
*) Feature: the "config errmsg" command of the ngx_http_ssi_module.

    *) Change: the ngx_http_geo_module variables can be overridden by the
       "set" directive.

    *) Feature: the "ssl_protocols" and "ssl_prefer_server_ciphers"
       directives of the ngx_http_ssl_module and ngx_imap_ssl_module.

    *) Bugfix: the ngx_http_autoindex_module did not show correctly the
       long file names;

    *) Bugfix: the ngx_http_autoindex_module now do not show the files
       starting by dot.

    *) Bugfix: if the SSL handshake failed then another connection may be
       closed too.
       Thanks to Rob Mueller.

    *) Bugfix: the export versions of MSIE 5.x could not connect via HTTPS.
2005-09-30 14:41:25 +00:00
Igor Sysoev
31eb8c015d nginx-0.2.0-RELEASE import
*) The pid-file names used during online upgrade was changed and now is
       not required a manual rename operation. The old master process adds
       the ".oldbin" suffix to its pid-file and executes a new binary file.
       The new master process creates usual pid-file without the ".newbin"
       suffix. If the master process exits, then old master process renames
       back its pid-file with the ".oldbin" suffix to the pid-file without
       suffix.

    *) Change: the "worker_connections" directive, new name of the
       "connections" directive; now the directive specifies maximum number
       of connections, but not maximum socket descriptor number.

    *) Feature: SSL supports the session cache inside one worker process.

    *) Feature: the "satisfy_any" directive.

    *) Change: the ngx_http_access_module and ngx_http_auth_basic_module do
       not run for subrequests.

    *) Feature: the "worker_rlimit_nofile" and "worker_rlimit_sigpending"
       directives.

    *) Bugfix: if all backend using in load-balancing failed after one
       error, then nginx did not try do connect to them during 60 seconds.

    *) Bugfix: in IMAP/POP3 command argument parsing.
       Thanks to Rob Mueller.

    *) Bugfix: errors while using SSL in IMAP/POP3 proxy.

    *) Bugfix: errors while using SSI and gzipping.

    *) Bugfix: the "Expires" and "Cache-Control" header lines were omitted
       from the 304 responses.
       Thanks to Alexandr Kukushkin.
2005-09-23 11:02:22 +00:00
Igor Sysoev
e573380f24 nginx-0.1.45-RELEASE import
*) Change: the "ssl_engine" directive was canceled in the
       ngx_http_ssl_module and now is introduced at global level.

    *) Bugfix: the responses with SSI subrequests did not transferred via
       SSL connection.

    *) Various bug fixes in the IMAP/POP3 proxy.
2005-09-08 14:36:09 +00:00
Igor Sysoev
187b7d9558 nginx-0.1.39-RELEASE import
*) The changes in the ngx_http_charset_module: the "default_charset"
       directive was canceled; the "charset" directive sets the response
       charset; the "source_charset" directive sets the source charset only.

    *) Bugfix: the backend "WWW-Authenticate" header line did not
       transferred while the 401 response code redirecting.

    *) Bugfix: the ngx_http_proxy_module and ngx_http_fastcgi_module may
       close a connection before anything was transferred to a client; the
       bug had appeared in 0.1.38.

    *) Workaround: the Linux glibc crypt_r() initialization bug.

    *) Bugfix: the ngx_http_ssi_module did not support the relative URI in
       the "include virtual" command.

    *) Bugfix: if the backend response had the "Location" header line and
       nginx should not rewrite this line, then the 500 code response body
       was transferred; the bug had appeared in 0.1.29.

    *) Bugfix: some directives of the ngx_http_proxy_module and
       ngx_http_fastcgi_module were not inherited from the server to the
       location level; the bug had appeared in 0.1.29.

    *) Bugfix: the ngx_http_ssl_module did not support the certificate
       chain.

    *) Bugfix: the ngx_http_autoindex_module did not show correctly the
       long file names; the bug had appeared in 0.1.38.

    *) Bugfixes in IMAP/POP3 proxy in interaction with a backend at the
       login state.
2005-07-14 12:51:53 +00:00
Igor Sysoev
5192b3651f nginx-0.1.38-RELEASE import
*) Feature: the "limit_rate" directive is supported in in proxy and
       FastCGI mode.

    *) Feature: the "X-Accel-Limit-Rate" response header line is supported
       in proxy and FastCGI mode.

    *) Feature: the "break" directive.

    *) Feature: the "log_not_found" directive.

    *) Bugfix: the response status code was not changed when request was
       redirected by the ""X-Accel-Redirect" header line.

    *) Bugfix: the variables set by the "set" directive could not be used
       in SSI.

    *) Bugfix: the segmentation fault may occurred if the SSI page has more
       than one remote subrequest.

    *) Bugfix: nginx treated the backend response as invalid if the status
       line in the header was transferred in two packets; the bug had
       appeared in 0.1.29.

    *) Feature: the "ssi_types" directive.

    *) Feature: the "autoindex_exact_size" directive.

    *) Bugfix: the ngx_http_autoindex_module did not support the long file
       names in UTF-8.

    *) Feature: the IMAP/POP3 proxy.
2005-07-08 14:34:20 +00:00
Igor Sysoev
85ef94ba85 nginx-0.1.37-RELEASE import
*) Change: now the "\n" is added to the end of the "nginx.pid" file.

    *) Bugfix: the responses may be transferred not completely, if many
       parts or the big parts were included by SSI.

    *) Bugfix: if all backends had returned the 404 reponse and the
       "http_404" parameter of the "proxy_next_upstream" or
       "fastcgi_next_upstream" directives was used, then nginx started to
       request all backends again.
2005-06-23 13:41:06 +00:00
Igor Sysoev
b145b067e2 nginx-0.1.36-RELEASE import
*) Change: if the request header has duplicate the "Host",
       "Connection", "Content-Length", or "Authorization" lines, then nginx
       now returns the 400 error.

    *) Change: the "post_accept_timeout" directive was canceled.

    *) Feature: the "default", "af=", "bl=", "deferred", and "bind"
       parameters of the "listen" directive.

    *) Feature: the FreeBSD accept filters support.

    *) Feature: the Linux TCP_DEFER_ACCEPT support.

    *) Bugfix: the ngx_http_autoindex_module did not support the file names
       in UTF-8.

    *) Bugfix: the new log file can be rotated by the -USR1 signal only if
       the reconfiguration by the -HUP signal was made twice.
2005-06-15 18:33:41 +00:00
Igor Sysoev
403d2443a3 nginx-0.1.34-RELEASE import
*) Bugfix: the worker process may got caught in an endless loop if the
       big response part were include by SSI.

    *) Bugfix: the variables set by the "set" directive were not available
       in SSI.

    *) Feature: the "autoindex_localtime" directive.

    *) Bugfix: the empty value of the "proxy_set_header" directive forbids
       the client request header line passing.
2005-05-26 18:12:40 +00:00
Igor Sysoev
899b44eab2 nginx-0.1.29-RELEASE import
*) Feature: the ngx_http_ssi_module supports "include virtual" command.

    *) Feature: the ngx_http_ssi_module supports the condition command like
       'if expr="$NAME"' and "else" and "endif" commands. Only one nested
       level is supported.

    *) Feature: the ngx_http_ssi_module supports the DATE_LOCAL and
       DATE_GMT variables and "config timefmt" command.

    *) Feature: the "ssi_ignore_recycled_buffers" directive.

    *) Bugfix: the "echo" command did not show the default value for the
       empty QUERY_STRING variable.

    *) Change: the ngx_http_proxy_module was rewritten.

    *) Feature: the "proxy_redirect", "proxy_pass_request_headers",
       "proxy_pass_request_body", and "proxy_method" directives.

    *) Feature: the "proxy_set_header" directive. The "proxy_x_var" was
       canceled and must be replaced with the proxy_set_header directive.

    *) Change: the "proxy_preserve_host" is canceled and must be replaced
       with the "proxy_set_header Host $host" and the "proxy_redirect off"
       directives, the "proxy_set_header Host $host:$proxy_port" directive
       and the appropriate proxy_redirect directives.

    *) Change: the "proxy_set_x_real_ip" is canceled and must be replaced
       with the "proxy_set_header X-Real-IP $remote_addr" directive.

    *) Change: the "proxy_add_x_forwarded_for" is canceled and must be
       replaced with
       the "proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for"
       directive.

    *) Change: the "proxy_set_x_url" is canceled and must be replaced with
       the "proxy_set_header X-URL http://$host:$server_port$request_uri"
       directive.

    *) Feature: the "fastcgi_param" directive.

    *) Change: the "fastcgi_root", "fastcgi_set_var" and "fastcgi_params"
       directive are canceled and must be replaced with the fastcgi_param
       directives.

    *) Feature: the "index" directive can use the variables.

    *) Feature: the "index" directive can be used at http and server levels.

    *) Change: the last index only in the "index" directive can be absolute.

    *) Feature: the "rewrite" directive can use the variables.

    *) Feature: the "internal" directive.

    *) Feature: the CONTENT_LENGTH, CONTENT_TYPE, REMOTE_PORT, SERVER_ADDR,
       SERVER_PORT, SERVER_PROTOCOL, DOCUMENT_ROOT, SERVER_NAME,
       REQUEST_METHOD, REQUEST_URI, and REMOTE_USER variables.

    *) Change: nginx now passes the invalid lines in a client request
       headers or a backend response header.

    *) Bugfix: if the backend did not transfer response for a long time and
       the "send_timeout" was less than "proxy_read_timeout", then nginx
       returned the 408 response.

    *) Bugfix: the segmentation fault was occurred if the backend sent an
       invalid line in response header; the bug had appeared in 0.1.26.

    *) Bugfix: the segmentation fault may occurred in FastCGI fault
       tolerance configuration.

    *) Bugfix: the "expires" directive did not remove the previous
       "Expires" and "Cache-Control" headers.

    *) Bugfix: nginx did not take into account trailing dot in "Host"
       header line.

    *) Bugfix: the ngx_http_auth_module did not work under Linux.

    *) Bugfix: the rewrite directive worked incorrectly, if the arguments
       were in a request.

    *) Bugfix: nginx could not be built on MacOS X.
2005-05-12 14:58:06 +00:00
Igor Sysoev
4d656dcd0b nginx-0.1.26-RELEASE import
*) Change: the invalid client header lines are now ignored and logged
       at the info level.

    *) Change: the server name is also logged in error log.

    *) Feature: the ngx_http_auth_basic_module module and the auth_basic
       and auth_basic_user_file directives.
2005-03-22 16:02:46 +00:00
Igor Sysoev
c15717285d nginx-0.1.25-RELEASE import
*) Bugfix: nginx did run on Linux parisc.

    *) Feature: nginx now does not start under FreeBSD if the sysctl
       kern.ipc.somaxconn value is too big.

    *) Bugfix: if a request was internally redirected by the
       ngx_http_index_module module to the ngx_http_proxy_module or
       ngx_http_fastcgi_module modules, then the index file was not closed
       after request completion.

    *) Feature: the "proxy_pass" can be used in location with regular
       expression.

    *) Feature: the ngx_http_rewrite_filter_module module supports the
       condition like "if ($HTTP_USER_AGENT ~ MSIE)".

    *) Bugfix: nginx started too slow if the large number of addresses and
       text values were used in the "geo" directive.

    *) Change: a variable name must be declared as "$name" in the "geo"
       directive. The previous variant without "$" is still supported, but
       will be removed soon.

    *) Feature: the "%{VARIABLE}v" logging parameter.

    *) Feature: the "set $name value" directive.

    *) Bugfix: gcc 4.0 compatibility.

    *) Feature: the --with-openssl-opt=OPTIONS autoconfiguration directive.
2005-03-19 12:38:37 +00:00