|
[-]
[+]
|
Changed |
nginx.spec
|
|
|
|
[-]
[+]
|
Changed |
nginx-1.5.12.tar.gz/CHANGES
^
|
| @@ -1,4 +1,55 @@
+Changes with nginx 1.5.12 18 Mar 2014
+
+ *) Security: a heap memory buffer overflow might occur in a worker
+ process while handling a specially crafted request by
+ ngx_http_spdy_module, potentially resulting in arbitrary code
+ execution (CVE-2014-0133).
+ Thanks to Lucas Molas, researcher at Programa STIC, Fundación Dr.
+ Manuel Sadosky, Buenos Aires, Argentina.
+
+ *) Feature: the "proxy_protocol" parameters of the "listen" and
+ "real_ip_header" directives, the $proxy_protocol_addr variable.
+
+ *) Bugfix: in the "fastcgi_next_upstream" directive.
+ Thanks to Lucas Molas.
+
+
+Changes with nginx 1.5.11 04 Mar 2014
+
+ *) Security: memory corruption might occur in a worker process on 32-bit
+ platforms while handling a specially crafted request by
+ ngx_http_spdy_module, potentially resulting in arbitrary code
+ execution (CVE-2014-0088); the bug had appeared in 1.5.10.
+ Thanks to Lucas Molas, researcher at Programa STIC, Fundación Dr.
+ Manuel Sadosky, Buenos Aires, Argentina.
+
+ *) Feature: the $ssl_session_reused variable.
+
+ *) Bugfix: the "client_max_body_size" directive might not work when
+ reading a request body using chunked transfer encoding; the bug had
+ appeared in 1.3.9.
+ Thanks to Lucas Molas.
+
+ *) Bugfix: a segmentation fault might occur in a worker process when
+ proxying WebSocket connections.
+
+ *) Bugfix: a segmentation fault might occur in a worker process if the
+ ngx_http_spdy_module was used on 32-bit platforms; the bug had
+ appeared in 1.5.10.
+
+ *) Bugfix: the $upstream_status variable might contain wrong data if the
+ "proxy_cache_use_stale" or "proxy_cache_revalidate" directives were
+ used.
+ Thanks to Piotr Sikora.
+
+ *) Bugfix: a segmentation fault might occur in a worker process if
+ errors with code 400 were redirected to a named location using the
+ "error_page" directive.
+
+ *) Bugfix: nginx/Windows could not be built with Visual Studio 2013.
+
+
Changes with nginx 1.5.10 04 Feb 2014
*) Feature: the ngx_http_spdy_module now uses SPDY 3.1 protocol.
|
|
[-]
[+]
|
Changed |
nginx-1.5.12.tar.gz/CHANGES.ru
^
|
| @@ -1,4 +1,56 @@
+Изменения в nginx 1.5.12 18.03.2014
+
+ *) Безопасность: при обработке специально созданного запроса модулем
+ ngx_http_spdy_module могло происходить переполнение буфера в рабочем
+ процессе, что потенциально могло приводить к выполнению произвольного
+ кода (CVE-2014-0133).
+ Спасибо Lucas Molas из Programa STIC, Fundación Dr. Manuel Sadosky,
+ Buenos Aires, Argentina.
+
+ *) Добавление: параметр proxy_protocol в директивах listen и
+ real_ip_header, переменная $proxy_protocol_addr.
+
+ *) Исправление: в директиве fastcgi_next_upstream.
+ Спасибо Lucas Molas.
+
+
+Изменения в nginx 1.5.11 04.03.2014
+
+ *) Безопасность: при обработке специально созданного запроса модулем
+ ngx_http_spdy_module на 32-битных платформах могла повреждаться
+ память рабочего процесса, что потенциально могло приводить к
+ выполнению произвольного кода (CVE-2014-0088); ошибка появилась в
+ 1.5.10.
+ Спасибо Lucas Molas из Programa STIC, Fundación Dr. Manuel Sadosky,
+ Buenos Aires, Argentina.
+
+ *) Добавление: переменная $ssl_session_reused.
+
+ *) Исправление: директива client_max_body_size могла не работать при
+ чтении тела запроса с использованием chunked transfer encoding;
+ ошибка появилась в 1.3.9.
+ Спасибо Lucas Molas.
+
+ *) Исправление: при проксировании WebSocket-соединений в рабочем
+ процессе мог произойти segmentation fault.
+
+ *) Исправление: в рабочем процессе мог произойти segmentation fault,
+ если использовался модуль ngx_http_spdy_module на 32-битных
+ платформах; ошибка появилась в 1.5.10.
+
+ *) Исправление: значение переменной $upstream_status могло быть
+ неверным, если использовались директивы proxy_cache_use_stale или
+ proxy_cache_revalidate.
+ Спасибо Piotr Sikora.
+
+ *) Исправление: в рабочем процессе мог произойти segmentation fault,
+ если ошибки с кодом 400 с помощью директивы error_page
+ перенаправлялись в именованный location.
+
+ *) Исправление: nginx/Windows не собирался с Visual Studio 2013.
+
+
Изменения в nginx 1.5.10 04.02.2014
*) Добавление: модуль ngx_http_spdy_module теперь использует протокол
|
|
[-]
[+]
|
Changed |
nginx-1.5.12.tar.gz/auto/cc/msvc
^
|
| @@ -106,6 +106,7 @@
# precompiled headers
CORE_DEPS="$CORE_DEPS $NGX_OBJS/ngx_config.pch"
+CORE_LINK="$NGX_OBJS/ngx_pch.obj"
NGX_PCH="$NGX_OBJS/ngx_config.pch"
NGX_BUILD_PCH="-Ycngx_config.h -Fp$NGX_OBJS/ngx_config.pch"
NGX_USE_PCH="-Yungx_config.h -Fp$NGX_OBJS/ngx_config.pch"
|
|
[-]
[+]
|
Changed |
nginx-1.5.12.tar.gz/auto/sources
^
|
| @@ -36,7 +36,8 @@
src/core/ngx_conf_file.h \
src/core/ngx_resolver.h \
src/core/ngx_open_file_cache.h \
- src/core/ngx_crypt.h"
+ src/core/ngx_crypt.h \
+ src/core/ngx_proxy_protocol.h"
CORE_SRCS="src/core/nginx.c \
@@ -67,7 +68,8 @@
src/core/ngx_conf_file.c \
src/core/ngx_resolver.c \
src/core/ngx_open_file_cache.c \
- src/core/ngx_crypt.c"
+ src/core/ngx_crypt.c \
+ src/core/ngx_proxy_protocol.c"
REGEX_MODULE=ngx_regex_module
|
|
[-]
[+]
|
Changed |
nginx-1.5.12.tar.gz/conf/mime.types
^
|
| @@ -32,6 +32,7 @@
application/pdf pdf;
application/postscript ps eps ai;
application/rtf rtf;
+ application/vnd.apple.mpegurl m3u8;
application/vnd.ms-excel xls;
application/vnd.ms-fontobject eot;
application/vnd.ms-powerpoint ppt;
@@ -54,6 +55,7 @@
application/x-x509-ca-cert der pem crt;
application/x-xpinstall xpi;
application/xhtml+xml xhtml;
+ application/xspf+xml xspf;
application/zip zip;
application/octet-stream bin exe dll;
@@ -73,6 +75,7 @@
audio/x-realaudio ra;
video/3gpp 3gpp 3gp;
+ video/mp2t ts;
video/mp4 mp4;
video/mpeg mpeg mpg;
video/quicktime mov;
|
|
[-]
[+]
|
Changed |
nginx-1.5.12.tar.gz/src/core/nginx.h
^
|
| @@ -9,8 +9,8 @@
#define _NGINX_H_INCLUDED_
-#define nginx_version 1005010
-#define NGINX_VERSION "1.5.10"
+#define nginx_version 1005012
+#define NGINX_VERSION "1.5.12"
#define NGINX_VER "nginx/" NGINX_VERSION
#define NGINX_VAR "NGINX"
|
|
[-]
[+]
|
Changed |
nginx-1.5.12.tar.gz/src/core/ngx_connection.c
^
|
| @@ -129,7 +129,7 @@
#if (NGX_HAVE_INET6)
case AF_INET6:
ls[i].addr_text_max_len = NGX_INET6_ADDRSTRLEN;
- len = NGX_INET6_ADDRSTRLEN + sizeof(":65535") - 1;
+ len = NGX_INET6_ADDRSTRLEN + sizeof("[]:65535") - 1;
break;
#endif
@@ -244,7 +244,7 @@
if (getsockopt(ls[i].fd, SOL_SOCKET, SO_ACCEPTFILTER, &af, &olen)
== -1)
{
- err = ngx_errno;
+ err = ngx_socket_errno;
if (err == NGX_EINVAL) {
continue;
@@ -277,7 +277,7 @@
if (getsockopt(ls[i].fd, IPPROTO_TCP, TCP_DEFER_ACCEPT, &timeout, &olen)
== -1)
{
- err = ngx_errno;
+ err = ngx_socket_errno;
if (err == NGX_EOPNOTSUPP) {
continue;
@@ -661,7 +661,7 @@
if (setsockopt(ls[i].fd, SOL_SOCKET, SO_ACCEPTFILTER, NULL, 0)
== -1)
{
- ngx_log_error(NGX_LOG_ALERT, cycle->log, ngx_errno,
+ ngx_log_error(NGX_LOG_ALERT, cycle->log, ngx_socket_errno,
"setsockopt(SO_ACCEPTFILTER, NULL) "
"for %V failed, ignored",
&ls[i].addr_text);
@@ -688,7 +688,7 @@
&af, sizeof(struct accept_filter_arg))
== -1)
{
- ngx_log_error(NGX_LOG_ALERT, cycle->log, ngx_errno,
+ ngx_log_error(NGX_LOG_ALERT, cycle->log, ngx_socket_errno,
"setsockopt(SO_ACCEPTFILTER, \"%s\") "
"for %V failed, ignored",
ls[i].accept_filter, &ls[i].addr_text);
@@ -721,7 +721,7 @@
&value, sizeof(int))
== -1)
{
- ngx_log_error(NGX_LOG_ALERT, cycle->log, ngx_errno,
+ ngx_log_error(NGX_LOG_ALERT, cycle->log, ngx_socket_errno,
"setsockopt(TCP_DEFER_ACCEPT, %d) for %V failed, "
"ignored",
value, &ls[i].addr_text);
|
|
[-]
[+]
|
Changed |
nginx-1.5.12.tar.gz/src/core/ngx_connection.h
^
|
| @@ -139,6 +139,8 @@
socklen_t socklen;
ngx_str_t addr_text;
+ ngx_str_t proxy_protocol_addr;
+
#if (NGX_SSL)
ngx_ssl_connection_t *ssl;
#endif
|
|
[-]
[+]
|
Changed |
nginx-1.5.12.tar.gz/src/core/ngx_core.h
^
|
| @@ -77,6 +77,7 @@
#include <ngx_open_file_cache.h>
#include <ngx_os.h>
#include <ngx_connection.h>
+#include <ngx_proxy_protocol.h>
#define LF (u_char) 10
|
|
[-]
[+]
|
Changed |
nginx-1.5.12.tar.gz/src/core/ngx_cycle.c
^
|
| @@ -494,14 +494,14 @@
}
if (ngx_cmp_sockaddr(nls[n].sockaddr, nls[n].socklen,
- ls[i].sockaddr, ls[n].socklen, 1)
+ ls[i].sockaddr, ls[i].socklen, 1)
== NGX_OK)
{
nls[n].fd = ls[i].fd;
nls[n].previous = &ls[i];
ls[i].remain = 1;
- if (ls[n].backlog != nls[i].backlog) {
+ if (ls[i].backlog != nls[n].backlog) {
nls[n].listen = 1;
}
@@ -532,7 +532,7 @@
#if (NGX_HAVE_DEFERRED_ACCEPT && defined TCP_DEFER_ACCEPT)
- if (ls[n].deferred_accept && !nls[n].deferred_accept) {
+ if (ls[i].deferred_accept && !nls[n].deferred_accept) {
nls[n].delete_deferred = 1;
} else if (ls[i].deferred_accept != nls[n].deferred_accept)
|
|
[-]
[+]
|
Added |
nginx-1.5.12.tar.gz/src/core/ngx_proxy_protocol.c
^
|
| @@ -0,0 +1,91 @@
+
+/*
+ * Copyright (C) Roman Arutyunyan
+ * Copyright (C) Nginx, Inc.
+ */
+
+
+#include <ngx_config.h>
+#include <ngx_core.h>
+
+
+u_char *
+ngx_proxy_protocol_parse(ngx_connection_t *c, u_char *buf, u_char *last)
+{
+ size_t len;
+ u_char ch, *p, *addr;
+
+ p = buf;
+ len = last - buf;
+
+ if (len < 8 || ngx_strncmp(p, "PROXY ", 6) != 0) {
+ goto invalid;
+ }
+
+ p += 6;
+ len -= 6;
+
+ if (len >= 7 && ngx_strncmp(p, "UNKNOWN", 7) == 0) {
+ ngx_log_debug0(NGX_LOG_DEBUG_CORE, c->log, 0,
+ "PROXY protocol unknown protocol");
+ p += 7;
+ goto skip;
+ }
+
+ if (len < 5 || ngx_strncmp(p, "TCP", 3) != 0
+ || (p[3] != '4' && p[3] != '6') || p[4] != ' ')
+ {
+ goto invalid;
+ }
+
+ p += 5;
+ addr = p;
+
+ for ( ;; ) {
+ if (p == last) {
+ goto invalid;
+ }
+
+ ch = *p++;
+
+ if (ch == ' ') {
+ break;
+ }
+
+ if (ch != ':' && ch != '.'
+ && (ch < 'a' || ch > 'f')
+ && (ch < 'A' || ch > 'F')
+ && (ch < '0' || ch > '9'))
+ {
+ goto invalid;
+ }
+ }
+
+ len = p - addr - 1;
+ c->proxy_protocol_addr.data = ngx_pnalloc(c->pool, len);
+
+ if (c->proxy_protocol_addr.data == NULL) {
+ return NULL;
+ }
+
+ ngx_memcpy(c->proxy_protocol_addr.data, addr, len);
+ c->proxy_protocol_addr.len = len;
+
+ ngx_log_debug1(NGX_LOG_DEBUG_CORE, c->log, 0,
+ "PROXY protocol address: \"%V\"", &c->proxy_protocol_addr);
+
+skip:
+
+ for ( /* void */ ; p < last - 1; p++) {
+ if (p[0] == CR && p[1] == LF) {
+ return p + 2;
+ }
+ }
+
+invalid:
+
+ ngx_log_error(NGX_LOG_ERR, c->log, 0,
+ "broken header: \"%*s\"", (size_t) (last - buf), buf);
+
+ return NULL;
+}
|
|
[-]
[+]
|
Added |
nginx-1.5.12.tar.gz/src/core/ngx_proxy_protocol.h
^
|
| @@ -0,0 +1,23 @@
+
+/*
+ * Copyright (C) Roman Arutyunyan
+ * Copyright (C) Nginx, Inc.
+ */
+
+
+#ifndef _NGX_PROXY_PROTOCOL_H_INCLUDED_
+#define _NGX_PROXY_PROTOCOL_H_INCLUDED_
+
+
+#include <ngx_config.h>
+#include <ngx_core.h>
+
+
+#define NGX_PROXY_PROTOCOL_MAX_HEADER 107
+
+
+u_char *ngx_proxy_protocol_parse(ngx_connection_t *c, u_char *buf,
+ u_char *last);
+
+
+#endif /* _NGX_PROXY_PROTOCOL_H_INCLUDED_ */
|
|
[-]
[+]
|
Changed |
nginx-1.5.12.tar.gz/src/core/ngx_resolver.c
^
|
| @@ -3037,14 +3037,7 @@
ngx_log_error(NGX_LOG_ALERT, &uc->log, ngx_socket_errno,
ngx_nonblocking_n " failed");
- ngx_free_connection(c);
-
- if (ngx_close_socket(s) == -1) {
- ngx_log_error(NGX_LOG_ALERT, &uc->log, ngx_socket_errno,
- ngx_close_socket_n " failed");
- }
-
- return NGX_ERROR;
+ goto failed;
}
rev = c->read;
@@ -3069,7 +3062,7 @@
#endif
ngx_log_debug3(NGX_LOG_DEBUG_EVENT, &uc->log, 0,
- "connect to %V, fd:%d #%d", &uc->server, s, c->number);
+ "connect to %V, fd:%d #%uA", &uc->server, s, c->number);
rc = connect(s, uc->sockaddr, uc->socklen);
@@ -3079,7 +3072,7 @@
ngx_log_error(NGX_LOG_CRIT, &uc->log, ngx_socket_errno,
"connect() failed");
- return NGX_ERROR;
+ goto failed;
}
/* UDP sockets are always ready to write */
@@ -3093,16 +3086,23 @@
/* eventport event type has no meaning: oneshot only */
if (ngx_add_event(rev, NGX_READ_EVENT, event) != NGX_OK) {
- return NGX_ERROR;
+ goto failed;
}
} else {
/* rtsig */
if (ngx_add_conn(c) == NGX_ERROR) {
- return NGX_ERROR;
+ goto failed;
}
}
return NGX_OK;
+
+failed:
+
+ ngx_close_connection(c);
+ uc->connection = NULL;
+
+ return NGX_ERROR;
}
|
|
[-]
[+]
|
Changed |
nginx-1.5.12.tar.gz/src/event/ngx_event_accept.c
^
|
| @@ -344,7 +344,7 @@
#endif
ngx_log_debug3(NGX_LOG_DEBUG_EVENT, log, 0,
- "*%d accept: %V fd:%d", c->number, &c->addr_text, s);
+ "*%uA accept: %V fd:%d", c->number, &c->addr_text, s);
if (ngx_add_conn && (ngx_event_flags & NGX_USE_EPOLL_EVENT) == 0) {
if (ngx_add_conn(c) == NGX_ERROR) {
|
|
[-]
[+]
|
Changed |
nginx-1.5.12.tar.gz/src/event/ngx_event_connect.c
^
|
| @@ -122,7 +122,7 @@
}
ngx_log_debug3(NGX_LOG_DEBUG_EVENT, pc->log, 0,
- "connect to %V, fd:%d #%d", pc->name, s, c->number);
+ "connect to %V, fd:%d #%uA", pc->name, s, c->number);
rc = connect(s, pc->sockaddr, pc->socklen);
|
|
[-]
[+]
|
Changed |
nginx-1.5.12.tar.gz/src/event/ngx_event_openssl.c
^
|
| @@ -2529,6 +2529,20 @@
ngx_int_t
+ngx_ssl_get_session_reused(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
+{
+ if (SSL_session_reused(c->ssl->connection)) {
+ ngx_str_set(s, "r");
+
+ } else {
+ ngx_str_set(s, ".");
+ }
+
+ return NGX_OK;
+}
+
+
+ngx_int_t
ngx_ssl_get_raw_certificate(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
{
size_t len;
|
|
[-]
[+]
|
Changed |
nginx-1.5.12.tar.gz/src/event/ngx_event_openssl.h
^
|
| @@ -157,6 +157,8 @@
ngx_str_t *s);
ngx_int_t ngx_ssl_get_session_id(ngx_connection_t *c, ngx_pool_t *pool,
ngx_str_t *s);
+ngx_int_t ngx_ssl_get_session_reused(ngx_connection_t *c, ngx_pool_t *pool,
+ ngx_str_t *s);
ngx_int_t ngx_ssl_get_raw_certificate(ngx_connection_t *c, ngx_pool_t *pool,
ngx_str_t *s);
ngx_int_t ngx_ssl_get_certificate(ngx_connection_t *c, ngx_pool_t *pool,
|
|
[-]
[+]
|
Changed |
nginx-1.5.12.tar.gz/src/http/modules/ngx_http_access_module.c
^
|
| @@ -259,7 +259,11 @@
rule_un = alcf->rules_un->elts;
for (i = 0; i < alcf->rules_un->nelts; i++) {
- return ngx_http_access_found(r, rule_un[i].deny);
+
+ /* TODO: check path */
+ if (1) {
+ return ngx_http_access_found(r, rule_un[i].deny);
+ }
}
return NGX_DECLINED;
|
|
[-]
[+]
|
Changed |
nginx-1.5.12.tar.gz/src/http/modules/ngx_http_fastcgi_module.c
^
|
| @@ -1208,6 +1208,10 @@
f->fastcgi_stdout = 0;
f->large_stderr = 0;
+ if (f->split_parts) {
+ f->split_parts->nelts = 0;
+ }
+
r->state = 0;
return NGX_OK;
@@ -1488,6 +1492,13 @@
rc = ngx_http_parse_header_line(r, &buf, 1);
+ if (rc != NGX_OK) {
+ ngx_log_error(NGX_LOG_ALERT, r->connection->log, 0,
+ "invalid header after joining "
+ "FastCGI records");
+ return NGX_ERROR;
+ }
+
h->key.len = r->header_name_end - r->header_name_start;
h->key.data = r->header_name_start;
h->key.data[h->key.len] = '\0';
@@ -1584,7 +1595,7 @@
ngx_str_set(&u->headers_in.status_line, "200 OK");
}
- if (u->state) {
+ if (u->state && u->state->status == 0) {
u->state->status = u->headers_in.status_n;
}
|
|
[-]
[+]
|
Changed |
nginx-1.5.12.tar.gz/src/http/modules/ngx_http_gzip_static_module.c
^
|
| @@ -38,7 +38,7 @@
static ngx_command_t ngx_http_gzip_static_commands[] = {
{ ngx_string("gzip_static"),
- NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_FLAG,
+ NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1,
ngx_conf_set_enum_slot,
NGX_HTTP_LOC_CONF_OFFSET,
offsetof(ngx_http_gzip_static_conf_t, enable),
|
|
[-]
[+]
|
Changed |
nginx-1.5.12.tar.gz/src/http/modules/ngx_http_mp4_module.c
^
|
| @@ -2481,7 +2481,7 @@
n = (next_chunk - chunk) * samples;
- if (start_sample <= n) {
+ if (start_sample < n) {
goto found;
}
|
|
[-]
[+]
|
Changed |
nginx-1.5.12.tar.gz/src/http/modules/ngx_http_proxy_module.c
^
|
| @@ -1362,7 +1362,7 @@
return NGX_OK;
}
- if (u->state) {
+ if (u->state && u->state->status == 0) {
u->state->status = ctx->status.code;
}
|
|
[-]
[+]
|
Changed |
nginx-1.5.12.tar.gz/src/http/modules/ngx_http_range_filter_module.c
^
|
| @@ -432,7 +432,9 @@
+ r->headers_out.content_type.len
+ sizeof(CRLF "Content-Range: bytes ") - 1;
- if (r->headers_out.charset.len) {
+ if (r->headers_out.content_type_len == r->headers_out.content_type.len
+ && r->headers_out.charset.len)
+ {
len += sizeof("; charset=") - 1 + r->headers_out.charset.len;
}
@@ -451,7 +453,9 @@
* "Content-Range: bytes "
*/
- if (r->headers_out.charset.len) {
+ if (r->headers_out.content_type_len == r->headers_out.content_type.len
+ && r->headers_out.charset.len)
+ {
ctx->boundary_header.len = ngx_sprintf(ctx->boundary_header.data,
CRLF "--%0muA" CRLF
"Content-Type: %V; charset=%V" CRLF
@@ -461,8 +465,6 @@
&r->headers_out.charset)
- ctx->boundary_header.data;
- r->headers_out.charset.len = 0;
-
} else if (r->headers_out.content_type.len) {
ctx->boundary_header.len = ngx_sprintf(ctx->boundary_header.data,
CRLF "--%0muA" CRLF
@@ -501,6 +503,8 @@
r->headers_out.content_type_len = r->headers_out.content_type.len;
+ r->headers_out.charset.len = 0;
+
/* the size of the last boundary CRLF "--0123456789--" CRLF */
len = sizeof(CRLF "--") - 1 + NGX_ATOMIC_T_LEN + sizeof("--" CRLF) - 1;
|
|
[-]
[+]
|
Changed |
nginx-1.5.12.tar.gz/src/http/modules/ngx_http_realip_module.c
^
|
| @@ -13,6 +13,7 @@
#define NGX_HTTP_REALIP_XREALIP 0
#define NGX_HTTP_REALIP_XFWD 1
#define NGX_HTTP_REALIP_HEADER 2
+#define NGX_HTTP_REALIP_PROXY 3
typedef struct {
@@ -156,6 +157,18 @@
break;
+ case NGX_HTTP_REALIP_PROXY:
+
+ value = &r->connection->proxy_protocol_addr;
+
+ if (value->len == 0) {
+ return NGX_DECLINED;
+ }
+
+ xfwd = NULL;
+
+ break;
+
default: /* NGX_HTTP_REALIP_HEADER */
part = &r->headers_in.headers.part;
@@ -343,6 +356,11 @@
return NGX_CONF_OK;
}
+ if (ngx_strcmp(value[1].data, "proxy_protocol") == 0) {
+ rlcf->type = NGX_HTTP_REALIP_PROXY;
+ return NGX_CONF_OK;
+ }
+
rlcf->type = NGX_HTTP_REALIP_HEADER;
rlcf->hash = ngx_hash_strlow(value[1].data, value[1].data, value[1].len);
rlcf->header = value[1];
|
|
[-]
[+]
|
Changed |
nginx-1.5.12.tar.gz/src/http/modules/ngx_http_scgi_module.c
^
|
| @@ -885,7 +885,7 @@
return ngx_http_scgi_process_header(r);
}
- if (u->state) {
+ if (u->state && u->state->status == 0) {
u->state->status = status->code;
}
@@ -1013,7 +1013,7 @@
ngx_str_set(&u->headers_in.status_line, "200 OK");
}
- if (u->state) {
+ if (u->state && u->state->status == 0) {
u->state->status = u->headers_in.status_n;
}
|
|
[-]
[+]
|
Changed |
nginx-1.5.12.tar.gz/src/http/modules/ngx_http_ssl_module.c
^
|
| @@ -270,6 +270,9 @@
{ ngx_string("ssl_session_id"), NULL, ngx_http_ssl_variable,
(uintptr_t) ngx_ssl_get_session_id, NGX_HTTP_VAR_CHANGEABLE, 0 },
+ { ngx_string("ssl_session_reused"), NULL, ngx_http_ssl_variable,
+ (uintptr_t) ngx_ssl_get_session_reused, NGX_HTTP_VAR_CHANGEABLE, 0 },
+
{ ngx_string("ssl_client_cert"), NULL, ngx_http_ssl_variable,
(uintptr_t) ngx_ssl_get_certificate, NGX_HTTP_VAR_CHANGEABLE, 0 },
|
|
[-]
[+]
|
Changed |
nginx-1.5.12.tar.gz/src/http/modules/ngx_http_uwsgi_module.c
^
|
| @@ -1017,7 +1017,7 @@
return ngx_http_uwsgi_process_header(r);
}
- if (u->state) {
+ if (u->state && u->state->status == 0) {
u->state->status = status->code;
}
@@ -1145,7 +1145,7 @@
ngx_str_set(&u->headers_in.status_line, "200 OK");
}
- if (u->state) {
+ if (u->state && u->state->status == 0) {
u->state->status = u->headers_in.status_n;
}
|
|
[-]
[+]
|
Changed |
nginx-1.5.12.tar.gz/src/http/ngx_http.c
^
|
| @@ -1849,6 +1849,7 @@
#if (NGX_HTTP_SPDY)
addrs[i].conf.spdy = addr[i].opt.spdy;
#endif
+ addrs[i].conf.proxy_protocol = addr[i].opt.proxy_protocol;
if (addr[i].hash.buckets == NULL
&& (addr[i].wc_head == NULL
|
|
[-]
[+]
|
Changed |
nginx-1.5.12.tar.gz/src/http/ngx_http_core_module.c
^
|
| @@ -2632,6 +2632,14 @@
return NGX_DONE;
}
+ if (r->uri.len == 0) {
+ ngx_log_error(NGX_LOG_ERR, r->connection->log, 0,
+ "empty URI in redirect to named location \"%V\"", name);
+
+ ngx_http_finalize_request(r, NGX_HTTP_INTERNAL_SERVER_ERROR);
+ return NGX_DONE;
+ }
+
cscf = ngx_http_get_module_srv_conf(r, ngx_http_core_module);
if (cscf->named_locations) {
@@ -4279,6 +4287,11 @@
#endif
}
+ if (ngx_strcmp(value[n].data, "proxy_protocol") == 0) {
+ lsopt.proxy_protocol = 1;
+ continue;
+ }
+
ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
"invalid parameter \"%V\"", &value[n]);
return NGX_CONF_ERROR;
|
|
[-]
[+]
|
Changed |
nginx-1.5.12.tar.gz/src/http/ngx_http_core_module.h
^
|
| @@ -82,6 +82,7 @@
unsigned ipv6only:1;
#endif
unsigned so_keepalive:2;
+ unsigned proxy_protocol:1;
int backlog;
int rcvbuf;
@@ -243,6 +244,7 @@
#if (NGX_HTTP_SPDY)
unsigned spdy:1;
#endif
+ unsigned proxy_protocol:1;
};
|
|
[-]
[+]
|
Changed |
nginx-1.5.12.tar.gz/src/http/ngx_http_request.c
^
|
| @@ -343,6 +343,11 @@
}
#endif
+ if (hc->addr_conf->proxy_protocol) {
+ hc->proxy_protocol = 1;
+ c->log->action = "reading PROXY protocol";
+ }
+
if (rev->ready) {
/* the deferred accept(), rtsig, aio, iocp */
@@ -368,6 +373,7 @@
static void
ngx_http_wait_request_handler(ngx_event_t *rev)
{
+ u_char *p;
size_t size;
ssize_t n;
ngx_buf_t *b;
@@ -458,6 +464,27 @@
b->last += n;
+ if (hc->proxy_protocol) {
+ hc->proxy_protocol = 0;
+
+ p = ngx_proxy_protocol_parse(c, b->pos, b->last);
+
+ if (p == NULL) {
+ ngx_http_close_connection(c);
+ return;
+ }
+
+ b->pos = p;
+
+ if (b->pos == b->last) {
+ c->log->action = "waiting for request";
+ b->pos = b->start;
+ b->last = b->start;
+ ngx_post_event(rev, &ngx_posted_events);
+ return;
+ }
+ }
+
c->log->action = "reading client request line";
ngx_reusable_connection(c, 0);
@@ -589,7 +616,8 @@
static void
ngx_http_ssl_handshake(ngx_event_t *rev)
{
- u_char buf[1];
+ u_char *p, buf[NGX_PROXY_PROTOCOL_MAX_HEADER + 1];
+ size_t size;
ssize_t n;
ngx_err_t err;
ngx_int_t rc;
@@ -598,6 +626,7 @@
ngx_http_ssl_srv_conf_t *sscf;
c = rev->data;
+ hc = c->data;
ngx_log_debug0(NGX_LOG_DEBUG_HTTP, rev->log, 0,
"http check ssl handshake");
@@ -613,7 +642,9 @@
return;
}
- n = recv(c->fd, (char *) buf, 1, MSG_PEEK);
+ size = hc->proxy_protocol ? sizeof(buf) : 1;
+
+ n = recv(c->fd, (char *) buf, size, MSG_PEEK);
err = ngx_socket_errno;
@@ -640,12 +671,39 @@
return;
}
+ if (hc->proxy_protocol) {
+ hc->proxy_protocol = 0;
+
+ p = ngx_proxy_protocol_parse(c, buf, buf + n);
+
+ if (p == NULL) {
+ ngx_http_close_connection(c);
+ return;
+ }
+
+ size = p - buf;
+
+ if (c->recv(c, buf, size) != (ssize_t) size) {
+ ngx_http_close_connection(c);
+ return;
+ }
+
+ c->log->action = "SSL handshaking";
+
+ if (n == (ssize_t) size) {
+ ngx_post_event(rev, &ngx_posted_events);
+ return;
+ }
+
+ n = 1;
+ buf[0] = *p;
+ }
+
if (n == 1) {
if (buf[0] & 0x80 /* SSLv2 */ || buf[0] == 0x16 /* SSLv3/TLSv1 */) {
ngx_log_debug1(NGX_LOG_DEBUG_HTTP, rev->log, 0,
"https ssl handshake: 0x%02Xd", buf[0]);
- hc = c->data;
sscf = ngx_http_get_module_srv_conf(hc->conf_ctx,
ngx_http_ssl_module);
@@ -2707,7 +2765,7 @@
if (getsockopt(c->fd, SOL_SOCKET, SO_ERROR, (void *) &err, &len)
== -1)
{
- err = ngx_errno;
+ err = ngx_socket_errno;
}
goto closed;
|
|
[-]
[+]
|
Changed |
nginx-1.5.12.tar.gz/src/http/ngx_http_request.h
^
|
| @@ -309,8 +309,9 @@
ngx_int_t nfree;
#if (NGX_HTTP_SSL)
- ngx_uint_t ssl; /* unsigned ssl:1; */
+ unsigned ssl:1;
#endif
+ unsigned proxy_protocol:1;
} ngx_http_connection_t;
|
|
[-]
[+]
|
Changed |
nginx-1.5.12.tar.gz/src/http/ngx_http_request_body.c
^
|
| @@ -953,13 +953,13 @@
if (clcf->client_max_body_size
&& clcf->client_max_body_size
- < r->headers_in.content_length_n + rb->chunked->size)
+ - r->headers_in.content_length_n < rb->chunked->size)
{
ngx_log_error(NGX_LOG_ERR, r->connection->log, 0,
"client intended to send too large chunked "
- "body: %O bytes",
- r->headers_in.content_length_n
- + rb->chunked->size);
+ "body: %O+%O bytes",
+ r->headers_in.content_length_n,
+ rb->chunked->size);
r->lingering_close = 1;
|
|
[-]
[+]
|
Changed |
nginx-1.5.12.tar.gz/src/http/ngx_http_spdy.c
^
|
| @@ -95,6 +95,8 @@
static void ngx_http_spdy_write_handler(ngx_event_t *wev);
static void ngx_http_spdy_handle_connection(ngx_http_spdy_connection_t *sc);
+static u_char *ngx_http_spdy_proxy_protocol(ngx_http_spdy_connection_t *sc,
+ u_char *pos, u_char *end);
static u_char *ngx_http_spdy_state_head(ngx_http_spdy_connection_t *sc,
u_char *pos, u_char *end);
static u_char *ngx_http_spdy_state_syn_stream(ngx_http_spdy_connection_t *sc,
@@ -421,6 +423,11 @@
sc->handler = ngx_http_spdy_state_head;
+ if (hc->proxy_protocol) {
+ c->log->action = "reading PROXY protocol";
+ sc->handler = ngx_http_spdy_proxy_protocol;
+ }
+
sc->zstream_in.zalloc = ngx_http_spdy_zalloc;
sc->zstream_in.zfree = ngx_http_spdy_zfree;
sc->zstream_in.opaque = sc;
@@ -810,6 +817,22 @@
static u_char *
+ngx_http_spdy_proxy_protocol(ngx_http_spdy_connection_t *sc, u_char *pos,
+ u_char *end)
+{
+ pos = ngx_proxy_protocol_parse(sc->connection, pos, end);
+
+ if (pos == NULL) {
+ return ngx_http_spdy_state_protocol_error(sc);
+ }
+
+ sc->connection->log->action = "processing SPDY";
+
+ return ngx_http_spdy_state_complete(sc, pos, end);
+}
+
+
+static u_char *
ngx_http_spdy_state_head(ngx_http_spdy_connection_t *sc, u_char *pos,
u_char *end)
{
@@ -1038,7 +1061,7 @@
"spdy HEADERS block consists of %ui entries",
sc->entries);
- if (ngx_list_init(&r->headers_in.headers, r->pool, sc->entries + 3,
+ if (ngx_list_init(&r->headers_in.headers, r->pool, 20,
sizeof(ngx_table_elt_t))
!= NGX_OK)
{
@@ -1849,7 +1872,7 @@
ngx_http_spdy_state_save(ngx_http_spdy_connection_t *sc,
u_char *pos, u_char *end, ngx_http_spdy_handler_pt handler)
{
-#if (NGX_DEBUG)
+#if 1
if (end - pos > NGX_SPDY_STATE_BUFFER_SIZE) {
ngx_log_error(NGX_LOG_ALERT, sc->connection->log, 0,
"spdy state buffer overflow: "
@@ -2325,7 +2348,7 @@
ngx_http_spdy_parse_header(ngx_http_request_t *r)
{
u_char *p, *end, ch;
- ngx_uint_t len, hash;
+ ngx_uint_t hash;
ngx_http_core_srv_conf_t *cscf;
enum {
@@ -2348,9 +2371,9 @@
return NGX_AGAIN;
}
- len = ngx_spdy_frame_parse_uint32(p);
+ r->lowcase_index = ngx_spdy_frame_parse_uint32(p);
- if (!len) {
+ if (r->lowcase_index == 0) {
return NGX_HTTP_PARSE_INVALID_HEADER;
}
@@ -2359,8 +2382,6 @@
p += NGX_SPDY_NV_NLEN_SIZE;
- r->header_name_end = p + len;
- r->lowcase_index = len;
r->invalid_header = 0;
state = sw_name;
@@ -2369,16 +2390,16 @@
case sw_name:
- if (r->header_name_end > end) {
+ if ((ngx_uint_t) (end - p) < r->lowcase_index) {
break;
}
cscf = ngx_http_get_module_srv_conf(r, ngx_http_core_module);
r->header_name_start = p;
+ r->header_name_end = p + r->lowcase_index;
if (p[0] == ':') {
- r->lowcase_index--;
p++;
}
@@ -2425,29 +2446,26 @@
break;
}
- len = ngx_spdy_frame_parse_uint32(p);
+ r->lowcase_index = ngx_spdy_frame_parse_uint32(p);
/* null-terminate header name */
*p = '\0';
p += NGX_SPDY_NV_VLEN_SIZE;
- r->header_end = p + len;
-
state = sw_value;
/* fall through */
case sw_value:
- if (r->header_end > end) {
+ if ((ngx_uint_t) (end - p) < r->lowcase_index) {
break;
}
r->header_start = p;
- for ( /* void */ ; p != r->header_end; p++) {
-
+ while (r->lowcase_index--) {
ch = *p;
if (ch == '\0') {
@@ -2456,7 +2474,7 @@
return NGX_ERROR;
}
- r->header_size = p - r->header_start;
+ r->header_end = p;
r->header_in->pos = p + 1;
return NGX_OK;
@@ -2465,9 +2483,11 @@
if (ch == CR || ch == LF) {
return NGX_HTTP_PARSE_INVALID_HEADER;
}
+
+ p++;
}
- r->header_size = p - r->header_start;
+ r->header_end = p;
r->header_in->pos = p;
r->state = 0;
@@ -2526,13 +2546,6 @@
buf->last = ngx_cpymem(new, old, rest);
}
- if (r->header_name_end > old) {
- r->header_name_end = new + (r->header_name_end - old);
-
- } else if (r->header_end > old) {
- r->header_end = new + (r->header_end - old);
- }
-
r->header_in = buf;
stream->header_buffers++;
@@ -2563,14 +2576,14 @@
}
if (r->header_name_start[0] == ':') {
+ r->header_name_start++;
+
for (i = 0; i < NGX_SPDY_REQUEST_HEADERS; i++) {
sh = &ngx_http_spdy_request_headers[i];
if (sh->hash != r->header_hash
- || sh->len != r->lowcase_index
- || ngx_strncmp(sh->header, &r->header_name_start[1],
- r->lowcase_index)
- != 0)
+ || sh->len != r->header_name_end - r->header_name_start
+ || ngx_strncmp(sh->header, r->header_name_start, sh->len) != 0)
{
continue;
}
@@ -2590,10 +2603,10 @@
h->hash = r->header_hash;
- h->key.len = r->lowcase_index;
+ h->key.len = r->header_name_end - r->header_name_start;
h->key.data = r->header_name_start;
- h->value.len = r->header_size;
+ h->value.len = r->header_end - r->header_start;
h->value.data = r->header_start;
h->lowcase_key = h->key.data;
@@ -2653,7 +2666,7 @@
return NGX_HTTP_PARSE_INVALID_HEADER;
}
- len = r->header_size;
+ len = r->header_end - r->header_start;
r->method_name.len = len;
r->method_name.data = r->header_start;
@@ -2733,10 +2746,10 @@
h->hash = r->header_hash;
- h->key.len = r->lowcase_index;
- h->key.data = &r->header_name_start[1];
+ h->key.len = r->header_name_end - r->header_name_start;
+ h->key.data = r->header_name_start;
- h->value.len = r->header_size;
+ h->value.len = r->header_end - r->header_start;
h->value.data = r->header_start;
h->lowcase_key = h->key.data;
@@ -2778,7 +2791,7 @@
p = r->header_start;
- if (r->header_size < 8 || !(ngx_str5cmp(p, 'H', 'T', 'T', 'P', '/'))) {
+ if (r->header_end - p < 8 || !(ngx_str5cmp(p, 'H', 'T', 'T', 'P', '/'))) {
return NGX_HTTP_PARSE_INVALID_REQUEST;
}
@@ -2794,6 +2807,10 @@
ch = *p;
+ if (ch == '.') {
+ break;
+ }
+
if (ch < '0' || ch > '9') {
return NGX_HTTP_PARSE_INVALID_REQUEST;
}
@@ -2824,7 +2841,7 @@
r->http_minor = r->http_minor * 10 + ch - '0';
}
- r->http_protocol.len = r->header_size;
+ r->http_protocol.len = r->header_end - r->header_start;
r->http_protocol.data = r->header_start;
r->http_version = r->http_major * 1000 + r->http_minor;
|
|
[-]
[+]
|
Changed |
nginx-1.5.12.tar.gz/src/http/ngx_http_spdy.h
^
|
| @@ -174,6 +174,9 @@
for (out = &sc->last_out; *out; out = &(*out)->next)
{
+ /*
+ * NB: higher values represent lower priorities.
+ */
if (frame->priority >= (*out)->priority) {
break;
}
|
|
[-]
[+]
|
Changed |
nginx-1.5.12.tar.gz/src/http/ngx_http_spdy_filter_module.c
^
|
| @@ -967,7 +967,10 @@
{
s = ngx_queue_data(q, ngx_http_spdy_stream_t, queue);
- if (s->priority >= stream->priority) {
+ /*
+ * NB: higher values represent lower priorities.
+ */
+ if (stream->priority >= s->priority) {
break;
}
}
|
|
[-]
[+]
|
Changed |
nginx-1.5.12.tar.gz/src/http/ngx_http_upstream.c
^
|
| @@ -715,7 +715,7 @@
if (r->cache->header_start + 256 >= u->conf->buffer_size) {
ngx_log_error(NGX_LOG_ERR, r->connection->log, 0,
"%V_buffer_size %uz is not enough for cache key, "
- "it should increased at least to %uz",
+ "it should be increased to at least %uz",
&u->conf->module, u->conf->buffer_size,
ngx_align(r->cache->header_start + 256, 1024));
@@ -1096,7 +1096,7 @@
if (getsockopt(c->fd, SOL_SOCKET, SO_ERROR, (void *) &err, &len)
== -1)
{
- err = ngx_errno;
+ err = ngx_socket_errno;
}
if (err) {
@@ -1977,7 +1977,7 @@
if (getsockopt(c->fd, SOL_SOCKET, SO_ERROR, (void *) &err, &len)
== -1)
{
- err = ngx_errno;
+ err = ngx_socket_errno;
}
if (err) {
@@ -2557,7 +2557,9 @@
if (u->peer.connection->read->ready
|| u->buffer.pos != u->buffer.last)
{
+ ngx_post_event(c->read, &ngx_posted_events);
ngx_http_upstream_process_upgraded(r, 1, 1);
+ return;
}
ngx_http_upstream_process_upgraded(r, 0, 1);
|
|
[-]
[+]
|
Changed |
nginx-1.5.12.tar.gz/src/http/ngx_http_variables.c
^
|
| @@ -54,6 +54,8 @@
ngx_http_variable_value_t *v, uintptr_t data);
static ngx_int_t ngx_http_variable_remote_port(ngx_http_request_t *r,
ngx_http_variable_value_t *v, uintptr_t data);
+static ngx_int_t ngx_http_variable_proxy_protocol_addr(ngx_http_request_t *r,
+ ngx_http_variable_value_t *v, uintptr_t data);
static ngx_int_t ngx_http_variable_server_addr(ngx_http_request_t *r,
ngx_http_variable_value_t *v, uintptr_t data);
static ngx_int_t ngx_http_variable_server_port(ngx_http_request_t *r,
@@ -183,6 +185,9 @@
{ ngx_string("remote_port"), NULL, ngx_http_variable_remote_port, 0, 0, 0 },
+ { ngx_string("proxy_protocol_addr"), NULL,
+ ngx_http_variable_proxy_protocol_addr, 0, 0, 0 },
+
{ ngx_string("server_addr"), NULL, ngx_http_variable_server_addr, 0, 0, 0 },
{ ngx_string("server_port"), NULL, ngx_http_variable_server_port, 0, 0, 0 },
@@ -1203,6 +1208,20 @@
return NGX_OK;
}
+
+
+static ngx_int_t
+ngx_http_variable_proxy_protocol_addr(ngx_http_request_t *r,
+ ngx_http_variable_value_t *v, uintptr_t data)
+{
+ v->len = r->connection->proxy_protocol_addr.len;
+ v->valid = 1;
+ v->no_cacheable = 0;
+ v->not_found = 0;
+ v->data = r->connection->proxy_protocol_addr.data;
+
+ return NGX_OK;
+}
static ngx_int_t
|
|
[-]
[+]
|
Changed |
nginx-1.5.12.tar.gz/src/mail/ngx_mail_handler.c
^
|
| @@ -127,7 +127,7 @@
c->data = s;
s->connection = c;
- ngx_log_error(NGX_LOG_INFO, c->log, 0, "*%ui client %V connected to %V",
+ ngx_log_error(NGX_LOG_INFO, c->log, 0, "*%uA client %V connected to %V",
c->number, &c->addr_text, s->addr_text);
ctx = ngx_palloc(c->pool, sizeof(ngx_mail_log_ctx_t));
|
|
[-]
[+]
|
Changed |
nginx-1.5.12.tar.gz/src/os/unix/ngx_freebsd_sendfile_chain.c
^
|
| @@ -231,7 +231,7 @@
&& c->tcp_nopush == NGX_TCP_NOPUSH_UNSET)
{
if (ngx_tcp_nopush(c->fd) == NGX_ERROR) {
- err = ngx_errno;
+ err = ngx_socket_errno;
/*
* there is a tiny chance to be interrupted, however,
|
|
[-]
[+]
|
Changed |
nginx-1.5.12.tar.gz/src/os/unix/ngx_linux_sendfile_chain.c
^
|
| @@ -163,7 +163,7 @@
if (setsockopt(c->fd, IPPROTO_TCP, TCP_NODELAY,
(const void *) &tcp_nodelay, sizeof(int)) == -1)
{
- err = ngx_errno;
+ err = ngx_socket_errno;
/*
* there is a tiny chance to be interrupted, however,
@@ -189,7 +189,7 @@
if (c->tcp_nodelay == NGX_TCP_NODELAY_UNSET) {
if (ngx_tcp_nopush(c->fd) == NGX_ERROR) {
- err = ngx_errno;
+ err = ngx_socket_errno;
/*
* there is a tiny chance to be interrupted, however,
|
|
[-]
[+]
|
Changed |
nginx-1.5.12.tar.gz/src/os/unix/ngx_process_cycle.c
^
|
| @@ -1046,8 +1046,8 @@
&& !c[i].read->resolver)
{
ngx_log_error(NGX_LOG_ALERT, cycle->log, 0,
- "open socket #%d left in connection %ui",
- c[i].fd, i);
+ "*%uA open socket #%d left in connection %ui",
+ c[i].number, c[i].fd, i);
ngx_debug_quit = 1;
}
}
|
