*) Fixed incorrect ngx_cpystrn() usage in ngx_http_*_process_header().
This resulted in a disclosure of previously freed memory if upstream
server returned specially crafted response, potentially exposing
sensitive information.
Reported by Matthew Daley.
*) Headers with null character are now rejected.
Headers with NUL character aren't allowed by HTTP standard and may cause
various security problems. They are now unconditionally rejected.
ZFS reports incorrect st_blocks until file settles on disk, and this
may take a while (i.e. just after creation of a file the st_blocks value
is incorrect). As a workaround we now use st_blocks only if
st_blocks * 512 > st_size, this should fix ZFS problems while still
preserving accuracy for other filesystems.
The problem had appeared in r3900 (1.0.1).
Fix of rbtree lookup on hash collisions.
Previous code incorrectly assumed that nodes with identical keys are linked
together. This might not be true after tree rebalance.
Patch by Lanshun Zhou.
Fixed null pointer dereference in resolver (ticket #91).
The cycle->new_log.file may not be set before config parsing finished if
there are no error_log directive defined at global level. Fix is to
copy it after config parsing.
Patch by Roman Arutyunyan.
*) Fixed build with embedded perl and --with-openssl.
*) Configure: moved icc detection before gcc. New versions of icc
confuse auto/cc/name due to introduced handling of a "icc -v".
Core: protection from cycles with named locations and post_action.
Now redirects to named locations are counted against normal uri changes
limit, and post_action respects this limit as well. As a result at least
the following (bad) configurations no longer trigger infinite cycles:
1. Post action which recursively triggers post action:
location / {
post_action /index.html;
}
2. Post action pointing to nonexistent named location:
location / {
post_action @nonexistent;
}
3. Recursive error page for 500 (Internal Server Error) pointing to
a nonexistent named location:
location / {
recursive_error_pages on;
error_page 500 @nonexistent;
return 500;
}
Variables: honor no_cacheable for not_found variables.
Variables with the "not_found" flag set follow the same rules as ones with
the "valid" flag set. Make sure ngx_http_get_flushed_variable() will flush
non-cacheable variables with the "not_found" flag set.
This fixes at least one known problem with $args not available in a subrequest
(with args) when there were no args in the main request and $args variable was
queried in the main request (reported by Laurence Rowe aka elro on irc).
Also this eliminates unneeded call to ngx_http_get_indexed_variable() in
cacheable case (as it will return cached value anyway).
Fix for proxy_store leaving temporary files for subrequests.
Temporary files might not be removed if the "proxy_store" or "fastcgi_store"
directives were used for subrequests (e.g. ssi includes) and client closed
connection prematurely.
Non-active subrequests are finalized out of the control of the upstream
module when client closes a connection. As a result, the code to remove
unfinished temporary files in ngx_http_upstream_process_request() wasn't
executed.
Fix is to move relevant code into ngx_http_upstream_finalize_request() which
is called in all cases, either directly or via the cleanup handler.
If header filter postponed processing of a header by returning NGX_AGAIN
and not moved u->buffer->pos, previous check incorrectly assumed there
is additional space and did another recv() with zero-size buffer. This
resulted in "upstream prematurely closed connection" error instead
of correct "upstream sent too big header" one.
Patch by Feibo Li.
Fixed error handling in ngx_event_connect_peer().
Previously if ngx_add_event() failed a connection was freed two times (once
in the ngx_event_connect_peer(), and again by a caller) as pc->connection was
left set. Fix is to always use ngx_close_connection() to close connection
properly and set pc->connection to NULL on errors.
Patch by Piotr Sikora.
Fixed AIO error handling on FreeBSD.
The aio_return() must be called regardless of the error returned by
aio_error(). Not calling it resulted in various problems up to segmentation
faults (as AIO events are level-triggered and were reported again and again).
Additionally, in "aio sendfile" case r->blocked was incremented in case of
error returned from ngx_file_aio_read(), thus causing request hangs.
Fixed division by zero exception in ngx_hash_init().
The ngx_hash_init() function did not expect call with zero elements count,
which caused FPE error on configs with an empty "types" block in http context
and "types_hash_max_size" > 10000.
Fixed sched_setaffinity(2) to correctly pass size.
Second argument (cpusetsize) is size in bytes, not in bits. Previously
used constant 32 resulted in reading of uninitialized memory and caused
EINVAL to be returned on some Linux kernels.
SSL changes:
*) Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Support for TLSv1.1 and TLSv1.2 protocols was introduced in
OpenSSL 1.0.1 (-beta1 was recently released). This change makes it
possible to disable these protocols and/or enable them without other
protocols.
*) Removed ENGINE_load_builtin_engines() call.
It's already called by OPENSSL_config(). Calling it again causes
some openssl engines (notably GOST) to corrupt memory, as they don't
expect to be created more than once.
Fixes for limit_rate:
*) Fixed throughput problems with large limit_rate.
Previous attempt to fix this was in r1658 (0.6.18), though that one
wasn't enough (it was a noop).
*) Fixed interaction of limit_rate and sendfile_max_chunk.
It's possible that configured limit_rate will permit more bytes per
single operation than sendfile_max_chunk. To protect disk from
takeover by a single client it is necessary to apply sendfile_max_chunk
as a limit regardless of configured limit_rate.
See here for report (in Russian):
http://mailman.nginx.org/pipermail/nginx-ru/2010-March/032806.html
MP4 fixes:
*) Fixed mp4 if first entry in stsc was skipped (ticket #72).
If first entry in stsc atom was skipped, and seek was to chunk
boundary, than first_chunk in the generated stsc table wasn't
set to 1.
*) Fixed handling of mp4 above 2G and 32bit offsets (ticket #84).
Fixed limit_conn_log_level/limit_req_log_level inheritance. The
directives did not work if there were no limit_conn/limit_req
specified on the same level.
The code for limit_conn is different in 1.0.x, conflict resolved
manually.
SSI changes:
*) The "if" command did not work inside the "block" command and
produced parsing errors.
*) Added regex captures support in the expression of the "if" command.
SCGI fixes:
*) Fixed incorrect use of r->http_version in scgi module.
The r->http_version is a version of client's request, and modules
must not set it unless they are really willing to downgrade protocol
version used for a response (i.e. to HTTP/0.9 if no response headers
are available). In neither case r->http_version may be upgraded.
The former code downgraded response from HTTP/1.1 to HTTP/1.0 for no
reason, causing various problems (see ticket #66). It was also
possible that HTTP/0.9 requests were upgraded to HTTP/1.0.
*) Removed duplicate function declaration.
*) Removed error if there is no Status header.
The SCGI specification doesn't specify format of the response, and
assuming CGI specs should be used there is no reason to complain.
RFC 3875 explicitly states that "A Status header field is optional,
and status 200 'OK' is assumed if it is omitted".
Cache fixes:
*) Obsolete code removed.
The ngx_http_cache() and ngx_http_no_cache_set_slot() functions
were replaced in 0.8.46 and no longer used since then.
*) Handling of cache files with long headers.
There are two possible situations which can lead to this: response
was cached with bigger proxy_buffer_size value (and nginx was
restared since then, i.e. shared memory zone content was lost), or
due to the race in the cache update code (see [1]) we've end up
with fcn->body_start from a different response stored in shared
memory zone.
*) Only complain on long locked entries.
There have been multiple reports of cases where a real locked entry
was removed, resulting in a segmentation fault later in a worker
which locked the entry. It looks like default inactive timeout isn't
enough in real life.
For now just ignore such locked entries, and move them to the top of
the inactive queue to allow processing of other entries.
[1] http://mailman.nginx.org/pipermail/nginx-devel/2011-September/001287.html
Microoptimization of sendfile(2) usage under FreeBSD.
FreeBSD kernel checks headers/trailers pointer against NULL, not
corresponding count. Passing NULL if there are no headers/trailers
helps to avoid unneeded work in kernel, as well as unexpected 0 bytes
GIO in traces.
Fixed: some of $sent_http_* variables might contain header entries
which actually wasn't sent to a client.
The ngx_http_variable_headers() and ngx_http_variable_unknown_header()
functions did not ignore response header entries with zero "hash"
field.
Thanks to Yichun Zhang (agentzh).
Maxim Dounin