Commit Graph

5044 Commits

Author SHA1 Message Date
Ruslan Ermilov
cdbdbbd842 Xslt: fixed parameters parsing (ticket #1416).
If parameters were specified in xslt_stylesheet without variables,
any request except the first would cause an internal server error.
2017-11-16 13:20:47 +03:00
hucongcong
d303a95594 SSI: fixed type. 2017-10-27 00:30:38 +08:00
Maxim Dounin
cfc8c28259 FastCGI: adjust buffer position when parsing incomplete records.
Previously, nginx failed to move buffer position when parsing an incomplete
record header, and due to this wasn't be able to continue parsing once
remaining bytes of the record header were received.

This can affect response header parsing, potentially generating spurious errors
like "upstream sent unexpected FastCGI request id high byte: 1 while reading
response header from upstream".  While this is very unlikely, since usually
record headers are written in a single buffer, this still can happen in real
life, for example, if a record header will be split across two TCP packets
and the second packet will be delayed.

This does not affect non-buffered response body proxying, due to "buf->pos =
buf->last;" at the start of the ngx_http_fastcgi_non_buffered_filter()
function.  Also this does not affect buffered response body proxying, as
each input buffer is only passed to the filter once.
2017-11-09 15:35:20 +03:00
Maxim Dounin
9cb9ce78b1 Core: free shared memory zones only after reconfiguration.
This is what usually happens for zones no longer used in the new
configuration, but zones where size or tag were changed were freed
when creating new memory zones.  If reconfiguration failed (for
example, due to a conflicting listening socket), this resulted in a
segmentation fault in the master process.

Reported by Zhihua Cao,
http://mailman.nginx.org/pipermail/nginx-devel/2017-October/010536.html.
2017-10-17 19:52:16 +03:00
Sergey Kandaurov
fdbf551602 Postpone filter: handled ngx_http_postpone_filter_add() failures.
In particular, if ngx_http_postpone_filter_add() fails in ngx_chain_add_copy(),
the output chain of the postponed request was left in an invalid state.
2017-10-16 13:13:25 +03:00
Ruslan Ermilov
77c7875a7b Fixed type of ngx_conf_t.handler_conf.
The type should have been changed in c9b243802a17 along with
changing ngx_conf_handler_pt.
2017-10-13 00:32:26 +03:00
Alessandro Ghedini
5fee8f76b5 SSL: include <openssl/hmac.h>.
This header carries the definition of HMAC_Init_ex(). In OpenSSL this
header is included by <openssl/ssl.h>, but it's not so in BoringSSL.

It's probably a good idea to explicitly include this header anyway,
regardless of whether it's included by other headers or not.
2017-10-11 15:43:50 -07:00
Roman Arutyunyan
80f2e8f656 Upstream: disabled upgrading in subrequests.
Upgrading an upstream connection is usually followed by reading from the client
which a subrequest is not allowed to do.  Moreover, accessing the header_in
request field while processing upgraded connection ends up with a null pointer
dereference since the header_in buffer is only created for the the main request.
2017-10-11 17:38:21 +03:00
Ruslan Ermilov
f1be23bc8a Upstream: fixed $upstream_status when upstream returns 503/504.
If proxy_next_upstream includes http_503/http_504, and upstream
returns 503/504, $upstream_status converted this to 502 for any
values except the last one.
2017-10-11 22:04:28 +03:00
Ruslan Ermilov
211d20a230 Version bump. 2017-10-11 22:04:11 +03:00
Sergey Kandaurov
661e40864f Upstream: fixed error handling of stale and revalidated cache send.
The NGX_DONE value returned from ngx_http_upstream_cache_send() indicates
that upstream was already finalized in ngx_http_upstream_process_headers().
It was treated as a generic error which resulted in duplicate finalization.

Handled NGX_HTTP_UPSTREAM_INVALID_HEADER from ngx_http_upstream_cache_send().
Previously, it could return within ngx_http_upstream_finalize_request(), and
since it's below NGX_HTTP_SPECIAL_RESPONSE, a client connection could stuck.
2017-10-10 01:04:54 +03:00
Maxim Dounin
0737e6d841 Upstream: even better handling of invalid headers in cache files.
When parsing of headers in a cache file fails, already parsed headers
need to be cleared, and protocol state needs to be reinitialized.  To do
so, u->request_sent is now set to ensure ngx_http_upstream_reinit() will
be called.

This change complements improvements in 46ddff109e72.
2017-10-09 15:59:10 +03:00
Maxim Dounin
53d655f894 Upstream hash: reordered peer checks.
This slightly reduces cost of selecting a peer if all or almost all peers
failed, see ticket #1030.  There should be no measureable difference with
other workloads.
2017-10-05 17:43:05 +03:00
Maxim Dounin
a10ec2db91 Upstream hash: limited number of tries in consistent case.
While this may result in non-ideal distribution of requests if nginx
won't be able to select a server in a reasonable number of attempts,
this still looks better than severe performance degradation observed
if there is no limit and there are many points configured (ticket #1030).
This is also in line with what we do for other hash balancing methods.
2017-10-05 17:42:59 +03:00
Maxim Dounin
3a2ca34548 Fixed build without IPv6, broken by 874171c3c71a. 2017-10-05 16:50:35 +03:00
Maxim Dounin
41d8ea8c8d Fixed handling of unix sockets in $binary_remote_addr.
Previously, unix sockets were treated as AF_INET ones, and this may
result in buffer overread on Linux, where unbound unix sockets have
2-byte addresses.

Note that it is not correct to use just sun_path as a binary representation
for unix sockets.  This will result in an empty string for unbound unix
sockets, and thus behaviour of limit_req and limit_conn will change when
switching from $remote_addr to $binary_remote_addr.  As such, normal text
representation is used.

Reported by Stephan Dollberg.
2017-10-04 21:19:42 +03:00
Maxim Dounin
cba23f88ec Fixed handling of non-null-terminated unix sockets.
At least FreeBSD, macOS, NetBSD, and OpenBSD can return unix sockets
with non-null-terminated sun_path.  Additionally, the address may become
non-null-terminated if it does not fit into the buffer provided and was
truncated (may happen on macOS, NetBSD, and Solaris, which allow unix socket
addresess larger than struct sockaddr_un).  As such, ngx_sock_ntop() might
overread the sockaddr provided, as it used "%s" format and thus assumed
null-terminated string.

To fix this, the ngx_strnlen() function was introduced, and it is now used
to calculate correct length of sun_path.
2017-10-04 21:19:38 +03:00
Maxim Dounin
2e1e65a5c0 Fixed buffer overread with unix sockets after accept().
Some OSes (notably macOS, NetBSD, and Solaris) allow unix socket addresses
larger than struct sockaddr_un.  Moreover, some of them (macOS, Solaris)
return socklen of the socket address before it was truncated to fit the
buffer provided.  As such, on these systems socklen must not be used without
additional check that it is within the buffer provided.

Appropriate checks added to ngx_event_accept() (after accept()),
ngx_event_recvmsg() (after recvmsg()), and ngx_set_inherited_sockets()
(after getsockname()).

We also obtain socket addresses via getsockname() in
ngx_connection_local_sockaddr(), but it does not need any checks as
it is only used for INET and INET6 sockets (as there can be no
wildcard unix sockets).
2017-10-04 21:19:33 +03:00
Valentin Bartenev
328bfbe0d4 HTTP/2: enforce writing the sync request body buffer to file.
The sync flag of HTTP/2 request body buffer is used when the size of request
body is unknown or bigger than configured "client_body_buffer_size".  In this
case the buffer points to body data inside the global receive buffer that is
used for reading all HTTP/2 connections in the worker process.  Thus, when the
sync flag is set, the buffer must be flushed to a temporary file, otherwise
the request body data can be overwritten.

Previously, the sync buffer wasn't flushed to a temporary file if the whole
body was received in one DATA frame with the END_STREAM flag and wasn't
copied into the HTTP/2 body preread buffer.  As a result, the request body
might be corrupted (ticket #1384).

Now, setting r->request_body_in_file_only enforces writing the sync buffer
to a temporary file in all cases.
2017-10-04 21:15:15 +03:00
Maxim Dounin
d07d598c28 Cache: fixed caching of intercepted errors (ticket #1382).
When caching intercepted errors, previous behaviour was to use
proxy_cache_valid times specified, regardless of various cache control
headers present in the response.  Fix is to check u->cacheable and
use u->cache->valid_sec as set by various cache control response headers,
similar to how we do this in the normal caching code path.
2017-10-03 18:19:27 +03:00
Maxim Dounin
105dd42bd7 Upstream: better handling of invalid headers in cache files.
If cache file is truncated, it is possible that u->process_header()
will return NGX_AGAIN.  Added appropriate handling of this case by
changing the error to NGX_HTTP_UPSTREAM_INVALID_HEADER.

Also, added appropriate logging of this and NGX_HTTP_UPSTREAM_INVALID_HEADER
cases at the "crit" level.  Note that this will result in duplicate logging
in case of NGX_HTTP_UPSTREAM_INVALID_HEADER.  While this is something better
to avoid, it is considered to be an overkill to implement cache-specific
error logging in u->process_header().

Additionally, u->buffer.start is now reset to be able to receive a new
response, and u->cache_status set to MISS to provide the value in the
$upstream_cache_status variable, much like it happens on other cache file
errors detected by ngx_http_file_cache_read(), instead of HIT, which is
believed to be misleading.
2017-10-02 19:10:20 +03:00
Ruslan Ermilov
316a34951a Fixed the NGX_UNIX_ADDRSTRLEN macro. 2017-09-25 15:19:24 +03:00
Ruslan Ermilov
e7738ce82d Modules compatibility: down flag promoted to a bitmask.
It is to be used as a bitmask with various bits set/reset when appropriate.
63b8b157b776 made a similar change to ngx_http_upstream_rr_peer_t.down and
ngx_stream_upstream_rr_peer_t.down.
2017-09-22 22:49:42 +03:00
Ruslan Ermilov
ccd7e1037e Style. 2017-09-22 18:37:49 +03:00
Ruslan Ermilov
0cda728c6f Do not use the obsolete NGX_SOCKADDRLEN macro.
The change in ac120e797d28 re-used the macro which was made obsolete
in adf25b8d0431.
2017-09-22 13:10:49 +03:00
Ruslan Ermilov
05e87e19af Removed more remnants of the old pthread implementation.
After e284f3ff6831, ngx_crypt() can no longer return NGX_AGAIN.
2017-09-18 11:09:41 +03:00
Maxim Dounin
99cc4c72c7 HTTP/2: shortened some debug log messages.
This ensures slightly more readable debug logs on 80-character-wide
terminals.
2017-09-14 19:06:06 +03:00
Maxim Dounin
fc1575109e HTTP/2: fixed debug log about indexed headers.
Previously, "get indexed header" message was logged when in fact only
header name was obtained using an index, and "get indexed header name"
was logged when full header representation (name and value) was obtained
using an index.  Fixed version logs "get indexed name" and "get indexed
header" respectively.
2017-09-14 19:06:05 +03:00
Maxim Dounin
8f6c5306fb HTTP/2: added logging of 400 (Bad Request) reasons. 2017-09-14 19:06:03 +03:00
Roman Arutyunyan
c36a3c0cba Stream: fixed logging UDP upstream timeout.
Previously, when the first UDP response packet was not received from the
proxied server within proxy_timeout, no error message was logged before
switching to the next upstream.  Additionally, when one of succeeding response
packets was not received within the timeout, the timeout error had low severity
because it was logged as a client connection error as opposed to upstream
connection error.
2017-09-12 13:44:04 +03:00
Maxim Dounin
b900cc28fc Introduced time truncation to December 31, 9999 (ticket #1368).
Various buffers are allocated in an assumption that there would be
no more than 4 year digits.  This might not be true on platforms
with 64-bit time_t, as 64-bit time_t is able to represent more than that.
Such dates with more than 4 year digits hardly make sense though, as
various date formats in use do not allow them anyway.

As such, all dates are now truncated by ngx_gmtime() to December 31, 9999.
This should have no effect on valid dates, though will prevent potential
buffer overflows on invalid ones.
2017-09-13 15:53:19 +03:00
Maxim Dounin
0206ebe76f Fixed ngx_gmtime() on 32-bit platforms with 64-bit time_t.
In ngx_gmtime(), instead of casting to ngx_uint_t we now work with
time_t directly.  This allows using dates after 2038 on 32-bit platforms
which use 64-bit time_t, notably NetBSD and OpenBSD.

As the code is not able to work with negative time_t values, argument
is now set to 0 for negative values.  As a positive side effect, this
results in Epoch being used for such values instead of a date in distant
future.
2017-09-13 15:52:01 +03:00
Maxim Dounin
53bea399a0 Fixed reference to time parsing code after 8b6fa4842133. 2017-09-13 15:51:58 +03:00
Maxim Dounin
559017768e Style. 2017-09-13 15:51:52 +03:00
Piotr Sikora
63f5d46f58 HTTP/2: signal 0-byte HPACK's dynamic table size.
This change lets NGINX talk to clients with SETTINGS_HEADER_TABLE_SIZE
smaller than the default 4KB. Previously, NGINX would ACK the SETTINGS
frame with a small dynamic table size, but it would never send dynamic
table size update, leading to a connection-level COMPRESSION_ERROR.

Also, it allows clients to release 4KB of memory per connection, since
NGINX doesn't use HPACK's dynamic table when encoding headers, however
clients had to maintain it, since NGINX never signaled that it doesn't
use it.

Signed-off-by: Piotr Sikora <piotrsikora@google.com>
2017-08-30 14:52:11 -07:00
Roman Arutyunyan
15f81e0bbf Stream: relaxed next upstream condition (ticket #1317).
When switching to a next upstream, some buffers could be stuck in the middle
of the filter chain.  A condition existed that raised an error when this
happened.  As it turned out, this condition prevented switching to a next
upstream if ssl preread was used with the TCP protocol (see the ticket).

In fact, the condition does not make sense for TCP, since after successful
connection to an upstream switching to another upstream never happens.  As for
UDP, the issue with stuck buffers is unlikely to happen, but is still possible.
Specifically, if a filter delays sending data to upstream.

The condition can be relaxed to only check the "buffered" bitmask of the
upstream connection.  The new condition is simpler and fixes the ticket issue
as well.  Additionally, the upstream_out chain is now reset for UDP prior to
connecting to a new upstream to prevent repeating the client data twice.
2017-09-11 15:32:31 +03:00
Roman Arutyunyan
13e29a65f6 Version bump. 2017-09-11 15:46:23 +03:00
Roman Arutyunyan
418124e219 Secure link: fixed stack buffer overflow.
When secure link checksum has length of 23 or 24 bytes, decoded base64 value
could occupy 17 or 18 bytes which is more than 16 bytes previously allocated
for it on stack.  The buffer overflow does not have any security implications
since only one local variable was corrupted and this variable was not used in
this case.

The fix is to increase buffer size up to 18 bytes.  Useless buffer size
initialization is removed as well.
2017-08-22 21:22:59 +03:00
Maxim Dounin
6a2e409833 Upstream: unconditional parsing of last_modified_time.
This fixes at least the following cases, where no last_modified_time
(assuming caching is not enabled) resulted in incorrect behaviour:

- slice filter and If-Range requests (ticket #1357);
- If-Range requests with proxy_force_ranges;
- expires modified.
2017-08-23 19:20:06 +03:00
Maxim Dounin
ed0cc4d523 SSL: fixed possible use-after-free in $ssl_server_name.
The $ssl_server_name variable used SSL_get_servername() result directly,
but this is not safe: it references a memory allocation in an SSL
session, and this memory might be freed at any time due to renegotiation.
Instead, copy the name to memory allocated from the pool.
2017-08-22 17:36:12 +03:00
Maxim Dounin
50a0f25c60 SSL: the $ssl_client_escaped_cert variable (ticket #857).
This variable contains URL-encoded client SSL certificate.  In contrast
to $ssl_client_cert, it doesn't depend on deprecated header continuation.
The NGX_ESCAPE_URI_COMPONENT variant of encoding is used, so the resulting
variable can be safely used not only in headers, but also as a request
argument.

The $ssl_client_cert variable should be considered deprecated now.
The $ssl_client_raw_cert variable will be eventually renambed back
to $ssl_client_cert.
2017-08-22 15:18:10 +03:00
Maxim Dounin
008e9caa2a Range filter: changed type for total length to off_t.
Total length of a response with multiple ranges can be larger than a size_t
variable can hold, so type changed to off_t.  Previously, an incorrect
Content-Length was returned when requesting more than 4G of ranges from
a large enough file on a 32-bit system.

An additional size_t variable introduced to calculate size of the boundary
header buffer, as off_t is not needed here and will require type casts on
win32.

Reported by Shuxin Yang,
http://mailman.nginx.org/pipermail/nginx/2017-July/054384.html.
2017-08-10 22:21:23 +03:00
Maxim Dounin
dd5ab4a11f Restored ngx_event_aio_t layout for debug logging.
The "fd" field should be after 3 pointers for ngx_event_ident() to use it.
This was broken by ccad84a174e0.  While it does not seem to be currently used
for aio-related events, it should be a good idea to preserve the correct
layout nevertheless.
2017-08-10 22:21:22 +03:00
Maxim Dounin
0f841fcdee Style. 2017-08-10 22:21:20 +03:00
Sergey Kandaurov
b986b4314b Fixed calls to ngx_open_file() in certain places.
Pass NGX_FILE_OPEN to ngx_open_file() to fix "The parameter is incorrect"
error on win32 when using the ssl_session_ticket_key directive or loading
a binary geo base.  On UNIX, this change is a no-op.
2017-08-09 15:03:27 +03:00
Sergey Kandaurov
32c7bd5102 Style. 2017-08-09 14:59:46 +03:00
Sergey Kandaurov
c7c13a21ad Version bump. 2017-08-09 14:59:44 +03:00
Ruslan Ermilov
5f628fef3b Slab: fixed initialization on win32.
On Windows, a worker process does not call ngx_slab_init() from
ngx_init_zone_pool(), so ngx_slab_max_size, ngx_slab_exact_size,
and ngx_slab_exact_shift were left uninitialized.
2017-08-08 15:16:01 +03:00
Ruslan Ermilov
c9a81b29b5 Upstream: copy peer data in shared memory.
This, in addition to 1eb753aa8e5e, fixes "upstream zone" on Windows.
2017-08-04 17:03:10 +03:00
Ruslan Ermilov
c09bba400d Referer: fixed $invalid_referer.
The variable was considered non-existent in the absence of any
valid_referers directives.

Given the following config snippet,

    location / {
        return 200 $invalid_referer;
    }

    location /referer {
        valid_referers server_names;
    }

"location /" should work identically and independently on other
"location /referer".

The fix is to always add the $invalid_referer variable as long
as the module is compiled in, as is done by other modules.
2017-08-04 08:01:55 +03:00