Commit Graph

6160 Commits

Author SHA1 Message Date
Maxim Dounin
92111c92e5 Range filter: protect from total size overflows.
The overflow can be used to circumvent the restriction on total size of
ranges introduced in c2a91088b0c0 (1.1.2).  Additionally, overflow
allows producing ranges with negative start (such ranges can be created
by using a suffix, "bytes=-100"; normally this results in 200 due to
the total size check).  These can result in the following errors in logs:

[crit] ... pread() ... failed (22: Invalid argument)
[alert] ... sendfile() failed (22: Invalid argument)

When using cache, it can be also used to reveal cache file header.
It is believed that there are no other negative effects, at least with
standard nginx modules.

In theory, this can also result in memory disclosure and/or segmentation
faults if multiple ranges are allowed, and the response is returned in a
single in-memory buffer.  This never happens with standard nginx modules
though, as well as known 3rd party modules.

Fix is to properly protect from possible overflow when incrementing size.
2017-07-11 16:06:23 +03:00
Ruslan Ermilov
a54e3193bf Variables: use ngx_http_variable_null_value where appropriate. 2017-07-07 14:34:21 +03:00
Ruslan Ermilov
6330817a96 Resolver: cancelable resend timer event.
It is safe because re-sending still works during graceful shutdown as
long as resolving takes place (and resolve tasks set their own timeouts
that are not cancelable).

Also, the new ctx->cancelable flag can be set to make resolve task's
timeout event cancelable.
2017-07-04 18:50:41 +03:00
Sergey Kandaurov
225a5c7704 Resolver: factored out setting a timer for resolver timeout.
No functional changes.
2017-07-04 18:46:30 +03:00
Ruslan Ermilov
d0071f08e8 Slab: fixed small allocations on systems with large pagesize.
Notably, on ppc64 with 64k pagesize, slab 0 (of size 8) requires
128 64-bit elements for bitmasks.  The code bogusly assumed that
one uintptr_t is enough for bitmasks plus at least one free slot.
2017-07-04 18:32:30 +03:00
Ruslan Ermilov
75c3f8958b Slab: style. 2017-07-04 18:32:28 +03:00
Roman Arutyunyan
7570718594 Resolver: fixed possible use-after-free while resolving SRV.
Resolving an SRV record includes resolving its host names in subrequests.
Previously, if memory allocation failed while reporting a subrequest result
after receiving a response from a DNS server, the SRV resolve handler was
called immediately with the NGX_ERROR state.  However, if the SRV record
included another copy of the resolved name, it was reported once again.
This could trigger the use-after-free memory access after SRV resolve
handler freed the resolve context by calling ngx_resolve_name_done().

Now the SRV resolve handler is called only when all its subrequests are
completed.
2017-07-04 18:07:29 +03:00
Piotr Sikora
32e3d0e693 Proxy: split configured header names and values.
Previously, each configured header was represented in one of two ways,
depending on whether or not its value included any variables.

If the value didn't include any variables, then it would be represented
as as a single script that contained complete header line with HTTP/1.1
delimiters, i.e.:

     "Header: value\r\n"

But if the value included any variables, then it would be represented
as a series of three scripts: first contained header name and the ": "
delimiter, second evaluated to header value, and third contained only
"\r\n", i.e.:

     "Header: "
     "$value"
     "\r\n"

This commit changes that, so that each configured header is represented
as a series of two scripts: first contains only header name, and second
contains (or evaluates to) only header value, i.e.:

    "Header"
    "$value"

or

    "Header"
    "value"

This not only makes things more consistent, but also allows header name
and value to be accessed separately.

Signed-off-by: Piotr Sikora <piotrsikora@google.com>
2017-03-15 15:55:35 -07:00
Maxim Dounin
3057fca368 Version bump. 2017-07-03 16:58:08 +03:00
Maxim Dounin
95dcba6b37 release-1.13.2 tag 2017-06-27 17:44:18 +03:00
Maxim Dounin
2b6b360b83 nginx-1.13.2-RELEASE 2017-06-27 17:44:17 +03:00
Maxim Dounin
774f179a9b Range filter: allowed ranges on empty files (ticket #1031).
As per RFC 2616 / RFC 7233, any range request to an empty file
is expected to result in 416 Range Not Satisfiable response, as
there cannot be a "byte-range-spec whose first-byte-pos is less
than the current length of the entity-body".  On the other hand,
this makes use of byte-range requests inconvenient in some cases,
as reported for the slice module here:

http://mailman.nginx.org/pipermail/nginx-devel/2017-June/010177.html

This commit changes range filter to instead return 200 if the file
is empty and the range requested starts at 0.
2017-06-27 00:53:46 +03:00
Maxim Dounin
6433c841a0 Upstream: introduced ngx_http_upstream_ssl_handshake_handler().
This change reworks 13a5f4765887 to only run posted requests once,
with nothing on stack.  Running posted requests with other request
functions on stack may result in use-after-free in case of errors,
similar to the one reported in #788.

To only run posted request once, a separate function was introduced
to be used as ssl handshake handler in c->ssl->handler,
ngx_http_upstream_ssl_handshake_handler().  The ngx_http_run_posted_requests()
is only called in this function, and not in ngx_http_upstream_ssl_handshake()
which may be called directly on stack.

Additionaly, ngx_http_upstream_ssl_handshake_handler() now does appropriate
debug logging of the current subrequest, similar to what is done in other
event handlers.
2017-06-22 21:09:06 +03:00
Roman Arutyunyan
efa61f42c1 Upstream: fixed running posted requests (ticket #788).
Previously, the upstream resolve handler always called
ngx_http_run_posted_requests() to run posted requests after processing the
resolver response.  However, if the handler was called directly from the
ngx_resolve_name() function (for example, if the resolver response was cached),
running posted requests from the handler could lead to the following errors:

- If the request was scheduled for termination, it could actually be terminated
in the resolve handler.  Upper stack frames could reference the freed request
object in this case.

- If a significant number of requests were posted, and for each of them the
resolve handler was called directly from the ngx_resolve_name() function,
posted requests could be run recursively and lead to stack overflow.

Now ngx_http_run_posted_requests() is only called from asynchronously invoked
resolve handlers.
2017-06-14 20:13:41 +03:00
Roman Arutyunyan
439e205255 Resolver: added the "async" flag to resolver context.
The flag indicates that the resolve handler is called asynchronously after the
resolve function ngx_resolve_name()/ngx_resolve_addr() exited.
2017-06-14 18:13:31 +03:00
Bart Warmerdam
b0b24e8a30 Resolver: fixed allocation error handling while resolving SRV. 2017-06-19 14:25:42 +03:00
Ruslan Ermilov
6a4a1f0e23 Introduced ngx_rwlock_downgrade(). 2017-06-16 18:15:58 +03:00
Ruslan Ermilov
3f26c20756 Added memory barrier semantics to ngx_rwlock_unlock(). 2017-06-16 18:15:53 +03:00
Piotr Sikora
8310d81dc7 Headers filter: added "add_trailer" directive.
Trailers added using this directive are evaluated after response body
is processed by output filters (but before it's written to the wire),
so it's possible to use variables calculated from the response body
as the trailer value.

Signed-off-by: Piotr Sikora <piotrsikora@google.com>
2017-03-24 03:37:34 -07:00
Piotr Sikora
d85f2f9e92 HTTP/2: added support for trailers in HTTP responses.
Signed-off-by: Piotr Sikora <piotrsikora@google.com>
2017-03-24 03:37:34 -07:00
Piotr Sikora
cfdce50657 Added support for trailers in HTTP responses.
Example:

   ngx_table_elt_t  *h;

   h = ngx_list_push(&r->headers_out.trailers);
   if (h == NULL) {
       return NGX_ERROR;
   }

   ngx_str_set(&h->key, "Fun");
   ngx_str_set(&h->value, "with trailers");
   h->hash = ngx_hash_key_lc(h->key.data, h->key.len);

The code above adds "Fun: with trailers" trailer to the response.

Modules that want to emit trailers must set r->expect_trailers = 1
in header filter, otherwise they might not be emitted for HTTP/1.1
responses that aren't already chunked.

This change also adds $sent_trailer_* variables.

Signed-off-by: Piotr Sikora <piotrsikora@google.com>
2017-03-24 03:37:34 -07:00
Ruslan Ermilov
fa0992ed29 Gzip: fixed style in $gzip_ratio variable handler.
The current style in variable handlers returning NGX_OK is to either set
v->not_found to 1, or to initialize the entire ngx_http_variable_value_t
structure.

In theory, always setting v->valid = 1 for NGX_OK would be useful, which
would mean that the value was computed and is thus valid, including the
special case of v->not_found = 1.  But currently that's not the case and
causes the (v->valid || v->not_found) check to access an uninitialized
v->valid value, which is safe only because its value doesn't matter when
v->not_found is set.
2017-06-14 12:49:20 +03:00
Ruslan Ermilov
731d1fee8a Removed excessive casts for ngx_file_info(). 2017-06-14 12:29:52 +03:00
Orgad Shaneh
90727eb857 Configure: use .exe for binaries for all win32 compilers. 2017-06-06 19:37:34 +03:00
Orgad Shaneh
884b762dbb Configure: fix compilation on MSYS2 / MinGW64. 2017-06-06 18:13:39 +03:00
Piotr Sikora
13f49b0013 HTTP/2: reject HTTP/2 requests without ":scheme" pseudo-header.
Signed-off-by: Piotr Sikora <piotrsikora@google.com>
2017-06-13 17:01:08 +03:00
Sergey Kandaurov
aa04b091ae Userid: ngx_http_get_indexed_variable() error handling.
When evaluating a mapped $reset_uid variable in the userid filter,
if get_handler set to ngx_http_map_variable() returned an error,
this previously resulted in a NULL pointer dereference.
2017-06-07 18:46:36 +03:00
Sergey Kandaurov
b0de3d7013 Fixed segfault in try_files with nested location.
If memory allocation of a new r->uri.data storage failed, reset its length as
well.  Request URI is used in ngx_http_finalize_request() for debug logging.
2017-06-07 18:46:35 +03:00
Sergey Kandaurov
dec513d6e4 SSI: return NGX_ERROR when timefmt memory allocation failed.
Previously, when using NGX_HTTP_SSI_ERROR, error was ignored in ssi processing,
thus timefmt could be accessed later in ngx_http_ssi_date_gmt_local_variable()
as part of "set" handler, or NULL format pointer could be passed to strftime().
2017-06-07 15:21:42 +03:00
Piotr Sikora
51a4a414ca HTTP/2: don't send SETTINGS ACK before already queued DATA frames.
Previously, SETTINGS ACK was sent immediately upon receipt of SETTINGS
frame, before already queued DATA frames created using old SETTINGS.

This incorrect behavior was source of interoperability issues, because
peers rely on the fact that new SETTINGS are in effect after receiving
SETTINGS ACK.

Reported by Feng Li.

Signed-off-by: Piotr Sikora <piotrsikora@google.com>
2017-06-02 15:05:32 +03:00
Piotr Sikora
ca53600ac0 HTTP/2: make SETTINGS ACK frame reusable.
Signed-off-by: Piotr Sikora <piotrsikora@google.com>
2017-06-02 15:05:28 +03:00
Piotr Sikora
1429139c57 HTTP/2: send SETTINGS ACK after applying all SETTINGS params.
This avoids sending unnecessary SETTINGS ACK in case of PROTOCOL_ERROR.

Signed-off-by: Piotr Sikora <piotrsikora@google.com>
2017-06-02 15:05:24 +03:00
Piotr Sikora
6cfc65c993 HTTP/2: emit new frames only after applying all SETTINGS params.
Previously, new frames could be emitted in the middle of applying
new (and already acknowledged) SETTINGS params, which is illegal.

Signed-off-by: Piotr Sikora <piotrsikora@google.com>
2017-06-02 15:05:20 +03:00
Sergey Kandaurov
f0b0003f38 Configure: enabled rpath for NetBSD. 2017-06-02 12:55:31 +03:00
Roman Arutyunyan
3259595970 Configure: disabled IP_PKTINFO feature on certain platforms.
On Cygwin and NetBSD 7.0+ struct in_pktinfo has no ipi_spec_dst field, which
caused nginx compilation error.  Now presence of this field is ensured by the
IP_PKTINFO feature test.

The problem was introduced by dbb0c854e308 (1.13.0).
2017-06-01 15:44:23 +03:00
Maxim Dounin
62a95ace42 Style. 2017-06-01 16:49:14 +03:00
Piotr Sikora
a9908c9685 Upstream: style.
Signed-off-by: Piotr Sikora <piotrsikora@google.com>
2017-05-31 13:51:36 -07:00
Piotr Sikora
7820e569af Headers filter: style.
Signed-off-by: Piotr Sikora <piotrsikora@google.com>
2017-05-31 13:51:35 -07:00
Piotr Sikora
95955b7c04 HTTP/2: add debug logging of pseudo-headers and cookies.
Signed-off-by: Piotr Sikora <piotrsikora@google.com>
2017-05-30 17:42:27 +03:00
Valentin Bartenev
92cc3059fe Version bump. 2017-05-30 19:29:45 +03:00
Maxim Dounin
8bdbeac736 release-1.13.1 tag 2017-05-30 17:55:23 +03:00
Maxim Dounin
b84e8f713d nginx-1.13.1-RELEASE 2017-05-30 17:55:22 +03:00
Maxim Dounin
6cfbb1c5ae Updated OpenSSL used for win32 builds. 2017-05-30 17:14:00 +03:00
Roman Arutyunyan
d1d48ed844 Fixed background requests with asynchronous operations.
If the main request was finalized while a background request performed an
asynchronous operation, the main request ended up in ngx_http_writer() and was
not finalized until a network event or a timeout.  For example, cache
background update with aio enabled made nginx unable to process further client
requests or close the connection, keeping it open until client closes it.

Now regular finalization of the main request is not suspended because of an
asynchronous operation in another request.

If a background request was terminated while an asynchronous operation was in
progress, background request's write event handler was changed to
ngx_http_request_finalizer() and never called again.

Now, whenever a request is terminated while an asynchronous operation is in
progress, connection error flag is set to make further finalizations of any
request with this connection lead to termination.

These issues appeared in 1aeaae6e9446 (not yet released).
2017-05-29 23:33:38 +03:00
Maxim Dounin
529ce10058 Configure: sched_setaffinity() test moved to auto/unix.
The sched_setaffinity() function was introduced in DragonFly BSD 4.7,
so it is no longer Linux-specific.

Prodded by Sepherosa Ziehau.
2017-05-29 16:48:30 +03:00
Maxim Dounin
0514e14a8b Style: changed checks of ngx_ssl_create_connection() to != NGX_OK.
In http these checks were changed in a6d6d762c554, though mail module
was missed at that time.  Since then, the stream module was introduced
based on mail, using "== NGX_ERROR" check.
2017-05-29 16:34:35 +03:00
Maxim Dounin
2db69fed2c SSL: set TCP_NODELAY on SSL connections before handshake.
With OpenSSL 1.1.0+, the workaround for handshake buffer size as introduced
in a720f0b0e083 (ticket #413) no longer works, as OpenSSL no longer exposes
handshake buffers, see https://github.com/openssl/openssl/commit/2e7dc7cd688.
Moreover, it is no longer possible to adjust handshake buffers at all now.

To avoid additional RTT if handshake uses more than 4k we now set TCP_NODELAY
on SSL connections before handshake.  While this still results in sub-optimal
network utilization due to incomplete packets being sent, it seems to be
better than nothing.
2017-05-29 16:34:29 +03:00
Ruslan Ermilov
b66c18d2d5 Introduced ngx_tcp_nodelay(). 2017-05-26 22:52:48 +03:00
Roman Arutyunyan
8644d9491a Background subrequests for cache updates.
Previously, cache background update might not work as expected, making client
wait for it to complete before receiving the final part of a stale response.
This could happen if the response could not be sent to the client socket in one
filter chain call.

Now background cache update is done in a background subrequest.  This type of
subrequest does not block any other subrequests or the main request.
2017-05-25 15:57:59 +03:00
Roman Arutyunyan
c83922b18d Fixed deferred accept with EPOLLRDHUP enabled (ticket #1278).
Previously, the read event of the accepted connection was marked ready, but not
available.  This made EPOLLRDHUP-related code (for example, in ngx_unix_recv())
expect more data from the socket, leading to unexpected behavior.

For example, if SSL, PROXY protocol and deferred accept were enabled on a listen
socket, the client connection was aborted due to unexpected return value of
c->recv().
2017-05-24 13:17:08 +03:00