Commit Graph

6545 Commits

Author SHA1 Message Date
Roman Arutyunyan
418124e219 Secure link: fixed stack buffer overflow.
When secure link checksum has length of 23 or 24 bytes, decoded base64 value
could occupy 17 or 18 bytes which is more than 16 bytes previously allocated
for it on stack.  The buffer overflow does not have any security implications
since only one local variable was corrupted and this variable was not used in
this case.

The fix is to increase buffer size up to 18 bytes.  Useless buffer size
initialization is removed as well.
2017-08-22 21:22:59 +03:00
Maxim Dounin
6a2e409833 Upstream: unconditional parsing of last_modified_time.
This fixes at least the following cases, where no last_modified_time
(assuming caching is not enabled) resulted in incorrect behaviour:

- slice filter and If-Range requests (ticket #1357);
- If-Range requests with proxy_force_ranges;
- expires modified.
2017-08-23 19:20:06 +03:00
Maxim Dounin
ed0cc4d523 SSL: fixed possible use-after-free in $ssl_server_name.
The $ssl_server_name variable used SSL_get_servername() result directly,
but this is not safe: it references a memory allocation in an SSL
session, and this memory might be freed at any time due to renegotiation.
Instead, copy the name to memory allocated from the pool.
2017-08-22 17:36:12 +03:00
Maxim Dounin
50a0f25c60 SSL: the $ssl_client_escaped_cert variable (ticket #857).
This variable contains URL-encoded client SSL certificate.  In contrast
to $ssl_client_cert, it doesn't depend on deprecated header continuation.
The NGX_ESCAPE_URI_COMPONENT variant of encoding is used, so the resulting
variable can be safely used not only in headers, but also as a request
argument.

The $ssl_client_cert variable should be considered deprecated now.
The $ssl_client_raw_cert variable will be eventually renambed back
to $ssl_client_cert.
2017-08-22 15:18:10 +03:00
Maxim Dounin
008e9caa2a Range filter: changed type for total length to off_t.
Total length of a response with multiple ranges can be larger than a size_t
variable can hold, so type changed to off_t.  Previously, an incorrect
Content-Length was returned when requesting more than 4G of ranges from
a large enough file on a 32-bit system.

An additional size_t variable introduced to calculate size of the boundary
header buffer, as off_t is not needed here and will require type casts on
win32.

Reported by Shuxin Yang,
http://mailman.nginx.org/pipermail/nginx/2017-July/054384.html.
2017-08-10 22:21:23 +03:00
Maxim Dounin
dd5ab4a11f Restored ngx_event_aio_t layout for debug logging.
The "fd" field should be after 3 pointers for ngx_event_ident() to use it.
This was broken by ccad84a174e0.  While it does not seem to be currently used
for aio-related events, it should be a good idea to preserve the correct
layout nevertheless.
2017-08-10 22:21:22 +03:00
Maxim Dounin
0f841fcdee Style. 2017-08-10 22:21:20 +03:00
Sergey Kandaurov
b986b4314b Fixed calls to ngx_open_file() in certain places.
Pass NGX_FILE_OPEN to ngx_open_file() to fix "The parameter is incorrect"
error on win32 when using the ssl_session_ticket_key directive or loading
a binary geo base.  On UNIX, this change is a no-op.
2017-08-09 15:03:27 +03:00
Sergey Kandaurov
32c7bd5102 Style. 2017-08-09 14:59:46 +03:00
Sergey Kandaurov
c7c13a21ad Version bump. 2017-08-09 14:59:44 +03:00
Maxim Dounin
0d9d858cea release-1.13.4 tag 2017-08-08 18:00:11 +03:00
Maxim Dounin
c556874e17 nginx-1.13.4-RELEASE 2017-08-08 18:00:11 +03:00
Maxim Dounin
3226fa82de Updated PCRE used for win32 builds. 2017-08-08 15:21:10 +03:00
Ruslan Ermilov
5f628fef3b Slab: fixed initialization on win32.
On Windows, a worker process does not call ngx_slab_init() from
ngx_init_zone_pool(), so ngx_slab_max_size, ngx_slab_exact_size,
and ngx_slab_exact_shift were left uninitialized.
2017-08-08 15:16:01 +03:00
Ruslan Ermilov
c9a81b29b5 Upstream: copy peer data in shared memory.
This, in addition to 1eb753aa8e5e, fixes "upstream zone" on Windows.
2017-08-04 17:03:10 +03:00
Ruslan Ermilov
c09bba400d Referer: fixed $invalid_referer.
The variable was considered non-existent in the absence of any
valid_referers directives.

Given the following config snippet,

    location / {
        return 200 $invalid_referer;
    }

    location /referer {
        valid_referers server_names;
    }

"location /" should work identically and independently on other
"location /referer".

The fix is to always add the $invalid_referer variable as long
as the module is compiled in, as is done by other modules.
2017-08-04 08:01:55 +03:00
Ruslan Ermilov
d846f27638 Upstream zone: store peers->name and its data in shared memory.
The shared objects should generally be allocated from shared memory.
While peers->name and the data it points to allocated from cf->pool
happened to work on UNIX, it broke on Windows.  On UNIX this worked
only because the shared memory zone for upstreams is re-created for
every new configuration.

But on Windows, a worker process does not inherit the address space
of the master process, so the peers->name pointed to data allocated
from cf->pool by the master process, and was invalid.
2017-08-01 19:12:10 +03:00
Ruslan Ermilov
b992f7259b Variables: macros for null variables.
No functional changes.
2017-08-01 14:28:33 +03:00
Ruslan Ermilov
83be971bc7 Browser: style.
Removed custom variable type and renamed function that adds variables.
2017-08-01 14:27:23 +03:00
Ruslan Ermilov
aa953f5346 Cache: fixed max_size on win32. 2017-07-26 13:13:51 +03:00
Sergey Kandaurov
9edd64fcd8 SSL: fixed typo in the error message. 2017-07-25 17:21:59 +03:00
Roman Arutyunyan
fb18ba2930 Mirror: "off" paramater of the "mirror" directive. 2017-07-21 19:47:56 +03:00
Roman Arutyunyan
3900d1cb3c Mirror module. 2017-07-20 08:50:49 +03:00
Roman Arutyunyan
129b06dc5d Precontent phase.
The phase is added instead of the try_files phase.  Unlike the old phase, the
new one supports registering multiple handlers.  The try_files implementation is
moved to a separate ngx_http_try_files_module, which now registers a precontent
phase handler.
2017-07-20 15:51:11 +03:00
Roman Arutyunyan
a87e05a331 Upstream: keep request body file from removal if requested.
The new request flag "preserve_body" indicates that the request body file should
not be removed by the upstream module because it may be used later by a
subrequest.  The flag is set by the SSI (ticket #585), addition and slice
modules.  Additionally, it is also set by the upstream module when a background
cache update subrequest is started to prevent the request body file removal
after an internal redirect.  Only the main request is now allowed to remove the
file.
2017-07-19 20:38:17 +03:00
Alex Zhang
2c8f93df87 Style.
Signed-off-by: Alex Zhang <zchao1995@gmail.com>
2017-07-19 21:39:40 +08:00
Samuel Martin
82aa89566b Configure: fixed PCRE requirement check by ngx_http_rewrite_module.
The http_rewrite module cannot be selected when http is disabled.
Fixed the PCRE check condition to avoid irrelevant check failure.
This is a regression from 4d874b4d82ed.

Signed-off-by: Samuel Martin <s.martin49@gmail.com>
2017-07-19 12:05:50 +03:00
Valentin Bartenev
9197a3c874 Parenthesized ASCII-related calculations.
This also fixes potential undefined behaviour in the range and slice filter
modules, caused by local overflows of signed integers in expressions.
2017-07-17 17:23:51 +03:00
Ruslan Ermilov
7b06d9c326 Style: aligned ngx_null_command. 2017-07-12 11:34:04 +03:00
Maxim Dounin
bedd9c5645 Core: fixed error message on setsockopt(SO_REUSEPORT) failure.
The error is fatal when configuring a new socket, so the ", ignored" part
is not appropriate and was removed.
2017-07-11 20:06:52 +03:00
Maxim Dounin
da165aae88 Core: disabled SO_REUSEPORT when testing config (ticket #1300).
When closing a socket with SO_REUSEPORT, Linux drops all connections waiting
in this socket's listen queue.  Previously, it was believed to only result
in connection resets when reconfiguring nginx to use smaller number of worker
processes.  It also results in connection resets during configuration
testing though.

Workaround is to avoid using SO_REUSEPORT when testing configuration.  It
should prevent listening sockets from being created if a conflicting socket
already exists, while still preserving detection of other possible errors.
It should also cover UDP sockets.

The only downside of this approach seems to be that a configuration testing
won't be able to properly report the case when nginx was compiled with
SO_REUSEPORT, but the kernel is not able to set it.  Such errors will be
reported on a real start instead.
2017-07-11 19:59:56 +03:00
Maxim Dounin
5a5e74082d Version bump. 2017-07-11 19:59:16 +03:00
Maxim Dounin
2ab1157a7e release-1.13.3 tag 2017-07-11 16:18:31 +03:00
Maxim Dounin
6454225872 nginx-1.13.3-RELEASE 2017-07-11 16:18:30 +03:00
Maxim Dounin
d289616b0f Range filter: avoid negative range start.
Suffix ranges no longer allowed to set negative start values, to prevent
ranges with negative start from appearing even if total size protection
will be removed.
2017-07-11 16:06:26 +03:00
Maxim Dounin
92111c92e5 Range filter: protect from total size overflows.
The overflow can be used to circumvent the restriction on total size of
ranges introduced in c2a91088b0c0 (1.1.2).  Additionally, overflow
allows producing ranges with negative start (such ranges can be created
by using a suffix, "bytes=-100"; normally this results in 200 due to
the total size check).  These can result in the following errors in logs:

[crit] ... pread() ... failed (22: Invalid argument)
[alert] ... sendfile() failed (22: Invalid argument)

When using cache, it can be also used to reveal cache file header.
It is believed that there are no other negative effects, at least with
standard nginx modules.

In theory, this can also result in memory disclosure and/or segmentation
faults if multiple ranges are allowed, and the response is returned in a
single in-memory buffer.  This never happens with standard nginx modules
though, as well as known 3rd party modules.

Fix is to properly protect from possible overflow when incrementing size.
2017-07-11 16:06:23 +03:00
Ruslan Ermilov
a54e3193bf Variables: use ngx_http_variable_null_value where appropriate. 2017-07-07 14:34:21 +03:00
Ruslan Ermilov
6330817a96 Resolver: cancelable resend timer event.
It is safe because re-sending still works during graceful shutdown as
long as resolving takes place (and resolve tasks set their own timeouts
that are not cancelable).

Also, the new ctx->cancelable flag can be set to make resolve task's
timeout event cancelable.
2017-07-04 18:50:41 +03:00
Sergey Kandaurov
225a5c7704 Resolver: factored out setting a timer for resolver timeout.
No functional changes.
2017-07-04 18:46:30 +03:00
Ruslan Ermilov
d0071f08e8 Slab: fixed small allocations on systems with large pagesize.
Notably, on ppc64 with 64k pagesize, slab 0 (of size 8) requires
128 64-bit elements for bitmasks.  The code bogusly assumed that
one uintptr_t is enough for bitmasks plus at least one free slot.
2017-07-04 18:32:30 +03:00
Ruslan Ermilov
75c3f8958b Slab: style. 2017-07-04 18:32:28 +03:00
Roman Arutyunyan
7570718594 Resolver: fixed possible use-after-free while resolving SRV.
Resolving an SRV record includes resolving its host names in subrequests.
Previously, if memory allocation failed while reporting a subrequest result
after receiving a response from a DNS server, the SRV resolve handler was
called immediately with the NGX_ERROR state.  However, if the SRV record
included another copy of the resolved name, it was reported once again.
This could trigger the use-after-free memory access after SRV resolve
handler freed the resolve context by calling ngx_resolve_name_done().

Now the SRV resolve handler is called only when all its subrequests are
completed.
2017-07-04 18:07:29 +03:00
Piotr Sikora
32e3d0e693 Proxy: split configured header names and values.
Previously, each configured header was represented in one of two ways,
depending on whether or not its value included any variables.

If the value didn't include any variables, then it would be represented
as as a single script that contained complete header line with HTTP/1.1
delimiters, i.e.:

     "Header: value\r\n"

But if the value included any variables, then it would be represented
as a series of three scripts: first contained header name and the ": "
delimiter, second evaluated to header value, and third contained only
"\r\n", i.e.:

     "Header: "
     "$value"
     "\r\n"

This commit changes that, so that each configured header is represented
as a series of two scripts: first contains only header name, and second
contains (or evaluates to) only header value, i.e.:

    "Header"
    "$value"

or

    "Header"
    "value"

This not only makes things more consistent, but also allows header name
and value to be accessed separately.

Signed-off-by: Piotr Sikora <piotrsikora@google.com>
2017-03-15 15:55:35 -07:00
Maxim Dounin
3057fca368 Version bump. 2017-07-03 16:58:08 +03:00
Maxim Dounin
95dcba6b37 release-1.13.2 tag 2017-06-27 17:44:18 +03:00
Maxim Dounin
2b6b360b83 nginx-1.13.2-RELEASE 2017-06-27 17:44:17 +03:00
Maxim Dounin
774f179a9b Range filter: allowed ranges on empty files (ticket #1031).
As per RFC 2616 / RFC 7233, any range request to an empty file
is expected to result in 416 Range Not Satisfiable response, as
there cannot be a "byte-range-spec whose first-byte-pos is less
than the current length of the entity-body".  On the other hand,
this makes use of byte-range requests inconvenient in some cases,
as reported for the slice module here:

http://mailman.nginx.org/pipermail/nginx-devel/2017-June/010177.html

This commit changes range filter to instead return 200 if the file
is empty and the range requested starts at 0.
2017-06-27 00:53:46 +03:00
Maxim Dounin
6433c841a0 Upstream: introduced ngx_http_upstream_ssl_handshake_handler().
This change reworks 13a5f4765887 to only run posted requests once,
with nothing on stack.  Running posted requests with other request
functions on stack may result in use-after-free in case of errors,
similar to the one reported in #788.

To only run posted request once, a separate function was introduced
to be used as ssl handshake handler in c->ssl->handler,
ngx_http_upstream_ssl_handshake_handler().  The ngx_http_run_posted_requests()
is only called in this function, and not in ngx_http_upstream_ssl_handshake()
which may be called directly on stack.

Additionaly, ngx_http_upstream_ssl_handshake_handler() now does appropriate
debug logging of the current subrequest, similar to what is done in other
event handlers.
2017-06-22 21:09:06 +03:00
Roman Arutyunyan
efa61f42c1 Upstream: fixed running posted requests (ticket #788).
Previously, the upstream resolve handler always called
ngx_http_run_posted_requests() to run posted requests after processing the
resolver response.  However, if the handler was called directly from the
ngx_resolve_name() function (for example, if the resolver response was cached),
running posted requests from the handler could lead to the following errors:

- If the request was scheduled for termination, it could actually be terminated
in the resolve handler.  Upper stack frames could reference the freed request
object in this case.

- If a significant number of requests were posted, and for each of them the
resolve handler was called directly from the ngx_resolve_name() function,
posted requests could be run recursively and lead to stack overflow.

Now ngx_http_run_posted_requests() is only called from asynchronously invoked
resolve handlers.
2017-06-14 20:13:41 +03:00
Roman Arutyunyan
439e205255 Resolver: added the "async" flag to resolver context.
The flag indicates that the resolve handler is called asynchronously after the
resolve function ngx_resolve_name()/ngx_resolve_addr() exited.
2017-06-14 18:13:31 +03:00