Skip to content
Branch: master
Commits on Sep 18, 2019
  1. HTTP/2: traffic-based flood detection.

    mdounin committed Sep 18, 2019
    With this patch, all traffic over an HTTP/2 connection is counted in
    the h2c->total_bytes field, and payload traffic is counted in
    the h2c->payload_bytes field.  As long as total traffic is many times
    larger than payload traffic, we consider this to be a flood.
  2. HTTP/2: switched back to RST_STREAM with NO_ERROR.

    mdounin committed Sep 18, 2019
    In 8df664ebe037, we've switched to maximizing stream window instead
    of sending RST_STREAM.  Since then handling of RST_STREAM with NO_ERROR
    was fixed at least in Chrome, hence we switch back to using RST_STREAM.
    This allows more effective rejecting of large bodies, and also minimizes
    non-payload traffic to be accounted in the next patch.
Commits on Sep 16, 2019
  1. SSL: fixed ssl_verify_client error message.

    Sergey Kandaurov
    Sergey Kandaurov committed Sep 16, 2019
Commits on Sep 10, 2019
  1. Resolver: fixed possible use-after-free while resolving PTR.

    Sergey Kandaurov
    Sergey Kandaurov committed Sep 10, 2019
    Previously, if a response to the PTR request was cached, and ngx_resolver_dup()
    failed to allocate memory for the resulting name, then the original node was
    freed but left in expire_queue.  A subsequent address resolving would end up
    in a use-after-free memory access of the node either in ngx_resolver_expire()
    or ngx_resolver_process_ptr(), when accessing it through expire_queue.
    The fix is to leave the resolver node intact.
  2. HTTP/2: close connection on zero WINDOW_UPDATE.

    Ruslan Ermilov
    Ruslan Ermilov committed Sep 10, 2019
    Don't waste server resources by sending RST_STREAM frames.  Instead,
    reject WINDOW_UPDATE frames with invalid zero increment by closing
    connection with PROTOCOL_ERROR.
  3. HTTP/2: close connection on frames with self-dependency.

    Ruslan Ermilov
    Ruslan Ermilov committed Sep 10, 2019
    Don't waste server resources by sending RST_STREAM frames.  Instead,
    reject HEADERS and PRIORITY frames with self-dependency by closing
    connection with PROTOCOL_ERROR.
Commits on Sep 4, 2019
  1. Fixed "return" with discarding invalid chunked body.

    Sergey Kandaurov
    Sergey Kandaurov committed Sep 4, 2019
    When ngx_http_discard_request_body() call was added to ngx_http_send_response(),
    there were no return codes other than NGX_OK and NGX_HTTP_INTERNAL_SERVER_ERROR.
    Now it can also return NGX_HTTP_BAD_REQUEST, but ngx_http_send_response() still
    incorrectly transforms it to NGX_HTTP_INTERNAL_SERVER_ERROR.
    The fix is to propagate ngx_http_discard_request_body() errors.
Commits on Sep 3, 2019
  1. Detect runaway chunks in ngx_http_parse_chunked().

    Sergey Kandaurov
    Sergey Kandaurov committed Sep 3, 2019
    As defined in HTTP/1.1, body chunks have the following ABNF:
       chunk = chunk-size [ chunk-ext ] CRLF chunk-data CRLF
    where chunk-data is a sequence of chunk-size octets.
    With this change, chunk-data that doesn't end up with CRLF at chunk-size
    offset will be treated as invalid, such as in the example provided below:
Commits on Aug 19, 2019
  1. HTTP/2: discard remaining request body after redirect.

    Sergey Kandaurov
    Sergey Kandaurov committed Aug 19, 2019
    Previously, if unbuffered request body reading wasn't finished before
    the request was redirected to a different location using error_page
    or X-Accel-Redirect, and the request body is read again, this could
    lead to disastrous effects, such as a duplicate post_handler call or
    "http request count is zero" alert followed by a segmentation fault.
    This happened in the following configuration (ticket #1819):
        location / {
            proxy_request_buffering off;
            proxy_pass http://bad;
            proxy_intercept_errors on;
            error_page 502 = /error;
        location /error {
            proxy_pass http://backend;
Commits on Aug 16, 2019
  1. SSL: lowered log level for WSAECONNABORTED errors on Windows.

    mdounin committed Aug 16, 2019
    Winsock uses ECONNABORTED instead of ECONNRESET in some cases.
    For non-SSL connections this is already handled since baad3036086e.
    Reported at
  2. Version bump.

    mdounin committed Aug 16, 2019
Commits on Aug 13, 2019
  1. release-1.17.3 tag

    mdounin committed Aug 13, 2019
  2. nginx-1.17.3-RELEASE

    mdounin committed Aug 13, 2019
  3. HTTP/2: limited number of PRIORITY frames.

    Ruslan Ermilov
    Ruslan Ermilov committed Aug 13, 2019
    Fixed excessive CPU usage caused by a peer that continuously shuffles
    priority of streams.  Fix is to limit the number of PRIORITY frames.
  4. HTTP/2: limited number of DATA frames.

    Ruslan Ermilov
    Ruslan Ermilov committed Aug 13, 2019
    Fixed excessive memory growth and CPU usage if stream windows are
    manipulated in a way that results in generating many small DATA frames.
    Fix is to limit the number of simultaneously allocated DATA frames.
  5. HTTP/2: reject zero length headers with PROTOCOL_ERROR.

    Sergey Kandaurov
    Sergey Kandaurov committed Aug 13, 2019
    Fixed uncontrolled memory growth if peer sends a stream of
    headers with a 0-length header name and 0-length header value.
    Fix is to reject headers with zero name length.
Commits on Aug 1, 2019
  1. Mail: fixed duplicate resolving.

    mdounin committed Aug 1, 2019
    When using SMTP with SSL and resolver, read events might be enabled
    during address resolving, leading to duplicate ngx_mail_ssl_handshake_handler()
    calls if something arrives from the client, and duplicate session
    initialization - including starting another resolving.  This can lead
    to a segmentation fault if the session is closed after first resolving
    finished.  Fix is to block read events while resolving.
    Reported by Robert Norris,
Commits on Jul 31, 2019
  1. Gzip: fixed "zero size buf" alerts after ac5a741d39cf.

    mdounin committed Jul 31, 2019
    After ac5a741d39cf it is now possible that after zstream.avail_out
    reaches 0 and we allocate additional buffer, there will be no more data
    to put into this buffer, triggering "zero size buf" alert.  Fix is to
    reset b->temporary flag in this case.
    Additionally, an optimization added to avoid allocating additional buffer
    in this case, by checking if last deflate() call returned Z_STREAM_END.
    Note that checking for Z_STREAM_END by itself is not enough to fix alerts,
    as deflate() can return Z_STREAM_END without producing any output if the
    buffer is smaller than gzip trailer.
    Reported by Witold Filipczyk,
  2. Version bump.

    mdounin committed Jul 31, 2019
Commits on Jul 23, 2019
  1. release-1.17.2 tag

    mdounin committed Jul 23, 2019
  2. nginx-1.17.2-RELEASE

    mdounin committed Jul 23, 2019
Commits on Jul 19, 2019
  1. Core: fixed memory leak on error, missed in c3f60d618c17.

    mdounin committed Jul 19, 2019
    Found by Coverity (CID 1451664).
Commits on Jul 18, 2019
  1. Xslt: fixed potential buffer overflow with null character.

    mdounin committed Jul 18, 2019
    Due to shortcomings of the ccv->zero flag implementation in complex value
    interface, length of the resulting string from ngx_http_complex_value()
    might either not include terminating null character or include it,
    so the only safe way to work with the result is to use it as a
    null-terminated string.
    Reported by Patrick Wollgast.
  2. SSI: avoid potential buffer overflow.

    mdounin committed Jul 18, 2019
    When "-" follows a parameter of maximum length, a single byte buffer
    overflow happens, since the error branch does not check parameter length.
    Fix is to avoid saving "-" to the parameter key, and instead use an error
    message with "-" explicitly written.  The message is mostly identical to
    one used in similar cases in the preequal state.
    Reported by Patrick Wollgast.
  3. Upstream: fixed EOF handling in unbuffered and upgraded modes.

    mdounin committed Jul 18, 2019
    With level-triggered event methods it is important to specify
    the NGX_CLOSE_EVENT flag to ngx_handle_read_event(), otherwise
    the event won't be removed, resulting in CPU hog.
    Reported by Patrick Wollgast.
  4. HTTP/2: return error on output on closed stream.

    mdounin committed Jul 18, 2019
    Without this, an (incorrect) output on a closed stream could result in
    a socket leak.
  5. Core: fixed segfault with too large bucket sizes (ticket #1806).

    mdounin committed Jul 18, 2019
    To save memory hash code uses u_short to store resulting bucket sizes,
    so maximum bucket size is limited to 65536 minus ngx_cacheline_size (larger
    values will be aligned to 65536 which will overflow u_short).  However,
    there were no checks to enforce this, and using larger bucket sizes
    resulted in overflows and segmentation faults.
    Appropriate safety checks to enforce this added to ngx_hash_init().
Commits on Jul 17, 2019
Commits on Jul 12, 2019
  1. Gzip: use zlib to write header and trailer.

    iii-i committed Jul 12, 2019
    When nginx is used with zlib patched with [1], which provides
    integration with the future IBM Z hardware deflate acceleration, it ends
    up computing CRC32 twice: one time in hardware, which always does this,
    and one time in software by explicitly calling crc32().
    crc32() calls were added in changesets 133:b27548f540ad ("nginx-0.0.1-
    2003-09-24-23:51:12 import") and 134:d57c6835225c ("nginx-0.0.1-
    2003-09-26-09:45:21 import") as part of gzip wrapping feature - back
    then zlib did not support it.
    However, since then gzip wrapping was implemented in zlib v1.2.0.4,
    and it's already being used by nginx for log compression.
    This patch replaces hand-written gzip wrapping with the one provided by
    zlib. It simplifies the code, and makes it avoid computing CRC32 twice
    when using hardware acceleration.
    [1] madler/zlib#410
  2. Perl: expect escaped URIs in $r->internal_redirect().

    mdounin committed Jul 12, 2019
    Similarly to the change in 5491:74bfa803a5aa (1.5.9), we should accept
    properly escaped URIs and unescape them as needed, else it is not possible
    to handle URIs with question marks.
  3. Perl: additional ctx->header_sent checks.

    mdounin committed Jul 12, 2019
    As we now have ctx->header_sent flag, it is further used to prevent
    duplicate $r->send_http_header() calls, prevent output before sending
    header, and $r->internal_redirect() after sending header.
    Further, $r->send_http_header() protected from calls after
  4. Perl: avoid returning 500 if header was already sent.

    mdounin committed Jul 12, 2019
    Returning NGX_HTTP_INTERNAL_SERVER_ERROR if a perl code died after
    sending header will lead to a "header already sent" alert.  To avoid
    it, we now check if header was already sent, and return NGX_ERROR
    instead if it was.
  5. Perl: avoid redirects on errors.

    mdounin committed Jul 12, 2019
    Previously, redirects scheduled with $r->internal_redirect() were followed
    even if the code then died.  Now these are ignored and nginx will return
    an error instead.
  6. Perl: disabled unrelated calls from variable handlers.

    mdounin committed Jul 12, 2019
    Variable handlers are not expected to send anything to the client, cannot
    sleep or read body, and are not expected to modify the request.  Added
    appropriate protection to prevent accidental foot shooting.
You can’t perform that action at this time.