mirror of https://github.com/nginx/nginx.git
Compare commits
37 Commits
master
...
release-1.
Author | SHA1 | Date |
---|---|---|
![]() |
1be0fb0c9f | |
![]() |
13935cf9fd | |
![]() |
95f9116128 | |
![]() |
a43f1272c3 | |
![]() |
2e42c1e29e | |
![]() |
9cda58178b | |
![]() |
977824010f | |
![]() |
5c8a92f1f0 | |
![]() |
0d11f2885e | |
![]() |
e9e83dbb69 | |
![]() |
1ebe58a02e | |
![]() |
4712dee882 | |
![]() |
cfd68334d8 | |
![]() |
35a1420560 | |
![]() |
bfe0a1fd6e | |
![]() |
11b890d66d | |
![]() |
99a5842241 | |
![]() |
37fe983554 | |
![]() |
6da478eacd | |
![]() |
2262362fd3 | |
![]() |
3dc0fba5ad | |
![]() |
e1daadc388 | |
![]() |
ddd5b9c531 | |
![]() |
46222c0ab3 | |
![]() |
02725ce722 | |
![]() |
ffed470390 | |
![]() |
0e7702e066 | |
![]() |
376f12e40a | |
![]() |
3f2d8cb8f9 | |
![]() |
326150b82d | |
![]() |
eaa6daa5f5 | |
![]() |
75e3004902 | |
![]() |
a728869cd1 | |
![]() |
ee561abfdf | |
![]() |
ea3f44e012 | |
![]() |
361f6bf4b1 | |
![]() |
ee19cf9800 |
3
.hgtags
3
.hgtags
|
@ -478,3 +478,6 @@ f8134640e8615448205785cf00b0bc810489b495 release-1.25.1
|
|||
294a3d07234f8f65d7b0e0b0e2c5b05c12c5da0a release-1.25.3
|
||||
173a0a7dbce569adbb70257c6ec4f0f6bc585009 release-1.25.4
|
||||
8618e4d900cc71082fbe7dc72af087937d64faf5 release-1.25.5
|
||||
a58202a8c41bf0bd97eef1b946e13105a105520d release-1.26.0
|
||||
a63c124e34bcf2d1d1feb8d40ff075103b967c4c release-1.26.1
|
||||
e4c5da06073ca24e2ffc5c8f8b8d7833a926356f release-1.26.2
|
||||
|
|
|
@ -7,8 +7,8 @@ if [ $NGX_LIBATOMIC != YES ]; then
|
|||
|
||||
have=NGX_HAVE_LIBATOMIC . auto/have
|
||||
CORE_INCS="$CORE_INCS $NGX_LIBATOMIC/src"
|
||||
LINK_DEPS="$LINK_DEPS $NGX_LIBATOMIC/src/libatomic_ops.a"
|
||||
CORE_LIBS="$CORE_LIBS $NGX_LIBATOMIC/src/libatomic_ops.a"
|
||||
LINK_DEPS="$LINK_DEPS $NGX_LIBATOMIC/build/lib/libatomic_ops.a"
|
||||
CORE_LIBS="$CORE_LIBS $NGX_LIBATOMIC/build/lib/libatomic_ops.a"
|
||||
|
||||
else
|
||||
|
||||
|
@ -19,7 +19,7 @@ else
|
|||
#include <atomic_ops.h>"
|
||||
ngx_feature_path=
|
||||
ngx_feature_libs="-latomic_ops"
|
||||
ngx_feature_test="long n = 0;
|
||||
ngx_feature_test="AO_t n = 0;
|
||||
if (!AO_compare_and_swap(&n, 0, 1))
|
||||
return 1;
|
||||
if (AO_fetch_and_add(&n, 1) != 1)
|
||||
|
|
|
@ -3,14 +3,19 @@
|
|||
# Copyright (C) Nginx, Inc.
|
||||
|
||||
|
||||
case $NGX_LIBATOMIC in
|
||||
/*) ngx_prefix="$NGX_LIBATOMIC/build" ;;
|
||||
*) ngx_prefix="$PWD/$NGX_LIBATOMIC/build" ;;
|
||||
esac
|
||||
|
||||
cat << END >> $NGX_MAKEFILE
|
||||
|
||||
$NGX_LIBATOMIC/src/libatomic_ops.a: $NGX_LIBATOMIC/Makefile
|
||||
cd $NGX_LIBATOMIC && \$(MAKE)
|
||||
$NGX_LIBATOMIC/build/lib/libatomic_ops.a: $NGX_LIBATOMIC/Makefile
|
||||
cd $NGX_LIBATOMIC && \$(MAKE) && \$(MAKE) install
|
||||
|
||||
$NGX_LIBATOMIC/Makefile: $NGX_MAKEFILE
|
||||
cd $NGX_LIBATOMIC \\
|
||||
&& if [ -f Makefile ]; then \$(MAKE) distclean; fi \\
|
||||
&& ./configure
|
||||
&& ./configure --prefix=$ngx_prefix
|
||||
|
||||
END
|
||||
|
|
|
@ -36,7 +36,8 @@ if [ $PCRE_LIBRARY = PCRE2 ]; then
|
|||
pcre2_valid_utf.c \
|
||||
pcre2_xclass.c"
|
||||
|
||||
ngx_pcre_test="pcre2_convert.c \
|
||||
ngx_pcre_test="pcre2_chkdint.c \
|
||||
pcre2_convert.c \
|
||||
pcre2_extuni.c \
|
||||
pcre2_find_bracket.c \
|
||||
pcre2_script_run.c \
|
||||
|
|
|
@ -5,6 +5,175 @@
|
|||
<change_log title="nginx">
|
||||
|
||||
|
||||
<changes ver="1.26.3" date="2025-02-05">
|
||||
|
||||
<change type="security">
|
||||
<para lang="ru">
|
||||
недостаточная проверка в обработке виртуальных серверов
|
||||
при использовании SNI в TLSv1.3 позволяла повторно использовать
|
||||
SSL-сессию в контексте другого виртуального сервера,
|
||||
чтобы обойти проверку клиентских SSL-сертификатов (CVE-2025-23419).
|
||||
</para>
|
||||
<para lang="en">
|
||||
insufficient check in virtual servers handling with TLSv1.3 SNI
|
||||
allowed to reuse SSL sessions in a different virtual server,
|
||||
to bypass client SSL certificates verification (CVE-2025-23419).
|
||||
</para>
|
||||
</change>
|
||||
|
||||
<change type="bugfix">
|
||||
<para lang="ru">
|
||||
в модуле ngx_http_mp4_module.<br/>
|
||||
Спасибо Nils Bars.
|
||||
</para>
|
||||
<para lang="en">
|
||||
in the ngx_http_mp4_module.<br/>
|
||||
Thanks to Nils Bars.
|
||||
</para>
|
||||
</change>
|
||||
|
||||
<change type="workaround">
|
||||
<para lang="ru">
|
||||
при использовании zlib-ng
|
||||
в логах появлялись сообщения "gzip filter failed to use preallocated memory".
|
||||
</para>
|
||||
<para lang="en">
|
||||
"gzip filter failed to use preallocated memory" alerts appeared in logs
|
||||
when using zlib-ng.
|
||||
</para>
|
||||
</change>
|
||||
|
||||
<change type="bugfix">
|
||||
<para lang="ru">
|
||||
nginx не мог собрать библиотеку libatomic из исходных текстов,
|
||||
если использовался параметр --with-libatomic=DIR.
|
||||
</para>
|
||||
<para lang="en">
|
||||
nginx could not build libatomic library using the library sources
|
||||
if the --with-libatomic=DIR option was used.
|
||||
</para>
|
||||
</change>
|
||||
|
||||
<change type="bugfix">
|
||||
<para lang="ru">
|
||||
теперь nginx игнорирует пакеты согласования версий QUIC от клиентов.
|
||||
</para>
|
||||
<para lang="en">
|
||||
nginx now ignores QUIC version negotiation packets from clients.
|
||||
</para>
|
||||
</change>
|
||||
|
||||
<change type="bugfix">
|
||||
<para lang="ru">
|
||||
nginx не собирался на Solaris 10 и более ранних
|
||||
с модулем ngx_http_v3_module.
|
||||
</para>
|
||||
<para lang="en">
|
||||
nginx could not be built on Solaris 10 and earlier
|
||||
with the ngx_http_v3_module.
|
||||
</para>
|
||||
</change>
|
||||
|
||||
<change>
|
||||
<para lang="ru">
|
||||
Исправления в HTTP/3.
|
||||
</para>
|
||||
<para lang="en">
|
||||
Bugfixes in HTTP/3.
|
||||
</para>
|
||||
</change>
|
||||
|
||||
</changes>
|
||||
|
||||
|
||||
<changes ver="1.26.2" date="2024-08-14">
|
||||
|
||||
<change type="security">
|
||||
<para lang="ru">
|
||||
обработка специально созданного mp4-файла модулем ngx_http_mp4_module
|
||||
могла приводить к падению рабочего процесса (CVE-2024-7347).<br/>
|
||||
Спасибо Nils Bars.
|
||||
</para>
|
||||
<para lang="en">
|
||||
processing of a specially crafted mp4 file by the ngx_http_mp4_module
|
||||
might cause a worker process crash (CVE-2024-7347).<br/>
|
||||
Thanks to Nils Bars.
|
||||
</para>
|
||||
</change>
|
||||
|
||||
</changes>
|
||||
|
||||
|
||||
<changes ver="1.26.1" date="2024-05-29">
|
||||
|
||||
<change type="security">
|
||||
<para lang="ru">
|
||||
при использовании HTTP/3 обработка специально созданной QUIC-сессии могла
|
||||
приводить к падению рабочего процесса, отправке клиенту содержимого памяти
|
||||
рабочего процесса на системах с MTU больше 4096 байт, а также потенциально
|
||||
могла иметь другие последствия
|
||||
(CVE-2024-32760, CVE-2024-31079, CVE-2024-35200, CVE-2024-34161).<br/>
|
||||
Спасибо Nils Bars из CISPA.
|
||||
</para>
|
||||
<para lang="en">
|
||||
when using HTTP/3, processing of a specially crafted QUIC session might
|
||||
cause a worker process crash, worker process memory disclosure on systems
|
||||
with MTU larger than 4096 bytes, or might have potential other impact
|
||||
(CVE-2024-32760, CVE-2024-31079, CVE-2024-35200, CVE-2024-34161).<br/>
|
||||
Thanks to Nils Bars of CISPA.
|
||||
</para>
|
||||
</change>
|
||||
|
||||
<change type="bugfix">
|
||||
<para lang="ru">
|
||||
уменьшено потребление памяти для долгоживущих запросов,
|
||||
если используются директивы gzip, gunzip, ssi, sub_filter или grpc_pass.
|
||||
</para>
|
||||
<para lang="en">
|
||||
reduced memory consumption for long-lived requests
|
||||
if "gzip", "gunzip", "ssi", "sub_filter", or "grpc_pass" directives are used.
|
||||
</para>
|
||||
</change>
|
||||
|
||||
<change type="bugfix">
|
||||
<para lang="ru">
|
||||
nginx не собирался gcc 14,
|
||||
если использовался параметр --with-libatomic.<br/>
|
||||
Спасибо Edgar Bonet.
|
||||
</para>
|
||||
<para lang="en">
|
||||
nginx could not be built by gcc 14
|
||||
if the --with-libatomic option was used.<br/>
|
||||
Thanks to Edgar Bonet.
|
||||
</para>
|
||||
</change>
|
||||
|
||||
<change type="bugfix">
|
||||
<para lang="ru">
|
||||
в HTTP/3.
|
||||
</para>
|
||||
<para lang="en">
|
||||
in HTTP/3.
|
||||
</para>
|
||||
</change>
|
||||
|
||||
</changes>
|
||||
|
||||
|
||||
<changes ver="1.26.0" date="2024-04-23">
|
||||
|
||||
<change>
|
||||
<para lang="ru">
|
||||
Стабильная ветка 1.26.x.
|
||||
</para>
|
||||
<para lang="en">
|
||||
1.26.x stable branch.
|
||||
</para>
|
||||
</change>
|
||||
|
||||
</changes>
|
||||
|
||||
|
||||
<changes ver="1.25.5" date="2024-04-16">
|
||||
|
||||
<change type="feature">
|
||||
|
|
|
@ -6,7 +6,7 @@ TEMP = tmp
|
|||
|
||||
CC = cl
|
||||
OBJS = objs.msvc8
|
||||
OPENSSL = openssl-3.0.13
|
||||
OPENSSL = openssl-3.0.15
|
||||
ZLIB = zlib-1.3.1
|
||||
PCRE = pcre2-10.39
|
||||
|
||||
|
@ -15,8 +15,6 @@ release: export
|
|||
|
||||
mv $(TEMP)/$(NGINX)/auto/configure $(TEMP)/$(NGINX)
|
||||
|
||||
mv $(TEMP)/$(NGINX)/docs/text/LICENSE $(TEMP)/$(NGINX)
|
||||
mv $(TEMP)/$(NGINX)/docs/text/README $(TEMP)/$(NGINX)
|
||||
mv $(TEMP)/$(NGINX)/docs/html $(TEMP)/$(NGINX)
|
||||
mv $(TEMP)/$(NGINX)/docs/man $(TEMP)/$(NGINX)
|
||||
|
||||
|
@ -30,12 +28,12 @@ release: export
|
|||
|
||||
export:
|
||||
rm -rf $(TEMP)
|
||||
hg archive -X '.hg*' $(TEMP)/$(NGINX)
|
||||
git archive --prefix=$(TEMP)/$(NGINX)/ HEAD | tar -x -f - --exclude '.git*'
|
||||
|
||||
|
||||
RELEASE:
|
||||
hg ci -m nginx-$(VER)-RELEASE
|
||||
hg tag -m "release-$(VER) tag" release-$(VER)
|
||||
git commit -m nginx-$(VER)-RELEASE
|
||||
git tag -m "release-$(VER) tag" release-$(VER)
|
||||
|
||||
$(MAKE) -f misc/GNUmakefile release
|
||||
|
||||
|
@ -93,8 +91,8 @@ zip: export
|
|||
|
||||
sed -i '' -e "s/$$/`printf '\r'`/" $(TEMP)/$(NGINX)/conf/*
|
||||
|
||||
mv $(TEMP)/$(NGINX)/docs/text/LICENSE $(TEMP)/$(NGINX)/docs.new
|
||||
mv $(TEMP)/$(NGINX)/docs/text/README $(TEMP)/$(NGINX)/docs.new
|
||||
mv $(TEMP)/$(NGINX)/LICENSE $(TEMP)/$(NGINX)/docs.new
|
||||
mv $(TEMP)/$(NGINX)/README $(TEMP)/$(NGINX)/docs.new
|
||||
mv $(TEMP)/$(NGINX)/docs/html $(TEMP)/$(NGINX)
|
||||
|
||||
rm -r $(TEMP)/$(NGINX)/docs
|
||||
|
|
|
@ -9,8 +9,8 @@
|
|||
#define _NGINX_H_INCLUDED_
|
||||
|
||||
|
||||
#define nginx_version 1025005
|
||||
#define NGINX_VERSION "1.25.5"
|
||||
#define nginx_version 1026003
|
||||
#define NGINX_VERSION "1.26.3"
|
||||
#define NGINX_VER "nginx/" NGINX_VERSION
|
||||
|
||||
#ifdef NGX_BUILD
|
||||
|
|
|
@ -117,7 +117,10 @@ ngx_output_chain(ngx_output_chain_ctx_t *ctx, ngx_chain_t *in)
|
|||
|
||||
ngx_debug_point();
|
||||
|
||||
ctx->in = ctx->in->next;
|
||||
cl = ctx->in;
|
||||
ctx->in = cl->next;
|
||||
|
||||
ngx_free_chain(ctx->pool, cl);
|
||||
|
||||
continue;
|
||||
}
|
||||
|
@ -203,7 +206,10 @@ ngx_output_chain(ngx_output_chain_ctx_t *ctx, ngx_chain_t *in)
|
|||
/* delete the completed buf from the ctx->in chain */
|
||||
|
||||
if (ngx_buf_size(ctx->in->buf) == 0) {
|
||||
ctx->in = ctx->in->next;
|
||||
cl = ctx->in;
|
||||
ctx->in = cl->next;
|
||||
|
||||
ngx_free_chain(ctx->pool, cl);
|
||||
}
|
||||
|
||||
cl = ngx_alloc_chain_link(ctx->pool);
|
||||
|
|
|
@ -648,6 +648,7 @@ ngx_quic_free_buffer(ngx_connection_t *c, ngx_quic_buffer_t *qb)
|
|||
ngx_quic_free_chain(c, qb->chain);
|
||||
|
||||
qb->chain = NULL;
|
||||
qb->last_chain = NULL;
|
||||
}
|
||||
|
||||
|
||||
|
|
|
@ -391,6 +391,7 @@ SSL_set_quic_method(SSL *ssl, const SSL_QUIC_METHOD *quic_method)
|
|||
|
||||
wbio = BIO_new(BIO_s_null());
|
||||
if (wbio == NULL) {
|
||||
BIO_free(rbio);
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
|
|
@ -411,7 +411,7 @@ ngx_quic_send_segments(ngx_connection_t *c, u_char *buf, size_t len,
|
|||
ngx_memzero(msg_control, sizeof(msg_control));
|
||||
|
||||
iov.iov_len = len;
|
||||
iov.iov_base = buf;
|
||||
iov.iov_base = (void *) buf;
|
||||
|
||||
msg.msg_iov = &iov;
|
||||
msg.msg_iovlen = 1;
|
||||
|
@ -699,7 +699,7 @@ ngx_quic_send(ngx_connection_t *c, u_char *buf, size_t len,
|
|||
ngx_memzero(&msg, sizeof(struct msghdr));
|
||||
|
||||
iov.iov_len = len;
|
||||
iov.iov_base = buf;
|
||||
iov.iov_base = (void *) buf;
|
||||
|
||||
msg.msg_iov = &iov;
|
||||
msg.msg_iovlen = 1;
|
||||
|
|
|
@ -326,6 +326,11 @@ ngx_quic_handle_crypto_frame(ngx_connection_t *c, ngx_quic_header_t *pkt,
|
|||
ngx_quic_crypto_frame_t *f;
|
||||
|
||||
qc = ngx_quic_get_connection(c);
|
||||
|
||||
if (!ngx_quic_keys_available(qc->keys, pkt->level, 0)) {
|
||||
return NGX_OK;
|
||||
}
|
||||
|
||||
ctx = ngx_quic_get_send_ctx(qc, pkt->level);
|
||||
f = &frame->u.crypto;
|
||||
|
||||
|
|
|
@ -174,7 +174,7 @@ ngx_int_t
|
|||
ngx_quic_close_streams(ngx_connection_t *c, ngx_quic_connection_t *qc)
|
||||
{
|
||||
ngx_pool_t *pool;
|
||||
ngx_queue_t *q;
|
||||
ngx_queue_t *q, posted_events;
|
||||
ngx_rbtree_t *tree;
|
||||
ngx_connection_t *sc;
|
||||
ngx_rbtree_node_t *node;
|
||||
|
@ -197,6 +197,8 @@ ngx_quic_close_streams(ngx_connection_t *c, ngx_quic_connection_t *qc)
|
|||
return NGX_OK;
|
||||
}
|
||||
|
||||
ngx_queue_init(&posted_events);
|
||||
|
||||
node = ngx_rbtree_min(tree->root, tree->sentinel);
|
||||
|
||||
while (node) {
|
||||
|
@ -213,15 +215,21 @@ ngx_quic_close_streams(ngx_connection_t *c, ngx_quic_connection_t *qc)
|
|||
}
|
||||
|
||||
sc->read->error = 1;
|
||||
sc->read->ready = 1;
|
||||
sc->write->error = 1;
|
||||
|
||||
ngx_quic_set_event(sc->read);
|
||||
ngx_quic_set_event(sc->write);
|
||||
sc->write->ready = 1;
|
||||
|
||||
sc->close = 1;
|
||||
sc->read->handler(sc->read);
|
||||
|
||||
if (sc->read->posted) {
|
||||
ngx_delete_posted_event(sc->read);
|
||||
}
|
||||
|
||||
ngx_post_event(sc->read, &posted_events);
|
||||
}
|
||||
|
||||
ngx_event_process_posted((ngx_cycle_t *) ngx_cycle, &posted_events);
|
||||
|
||||
if (tree->root == tree->sentinel) {
|
||||
return NGX_OK;
|
||||
}
|
||||
|
|
|
@ -295,6 +295,11 @@ ngx_quic_parse_packet(ngx_quic_header_t *pkt)
|
|||
return NGX_ERROR;
|
||||
}
|
||||
|
||||
if (pkt->version == 0) {
|
||||
/* version negotiation */
|
||||
return NGX_ERROR;
|
||||
}
|
||||
|
||||
if (!ngx_quic_supported_version(pkt->version)) {
|
||||
return NGX_ABORT;
|
||||
}
|
||||
|
@ -1750,6 +1755,14 @@ ngx_quic_parse_transport_params(u_char *p, u_char *end, ngx_quic_tp_t *tp,
|
|||
return NGX_ERROR;
|
||||
}
|
||||
|
||||
if ((size_t) (end - p) < len) {
|
||||
ngx_log_error(NGX_LOG_INFO, log, 0,
|
||||
"quic failed to parse"
|
||||
" transport param id:0x%xL, data length %uL too long",
|
||||
id, len);
|
||||
return NGX_ERROR;
|
||||
}
|
||||
|
||||
rc = ngx_quic_parse_transport_param(p, p + len, id, tp);
|
||||
|
||||
if (rc == NGX_ERROR) {
|
||||
|
|
|
@ -1231,7 +1231,7 @@ ngx_http_grpc_body_output_filter(void *data, ngx_chain_t *in)
|
|||
ngx_buf_t *b;
|
||||
ngx_int_t rc;
|
||||
ngx_uint_t next, last;
|
||||
ngx_chain_t *cl, *out, **ll;
|
||||
ngx_chain_t *cl, *out, *ln, **ll;
|
||||
ngx_http_upstream_t *u;
|
||||
ngx_http_grpc_ctx_t *ctx;
|
||||
ngx_http_grpc_frame_t *f;
|
||||
|
@ -1459,7 +1459,10 @@ ngx_http_grpc_body_output_filter(void *data, ngx_chain_t *in)
|
|||
last = 1;
|
||||
}
|
||||
|
||||
ln = in;
|
||||
in = in->next;
|
||||
|
||||
ngx_free_chain(r->pool, ln);
|
||||
}
|
||||
|
||||
ctx->in = in;
|
||||
|
|
|
@ -333,6 +333,8 @@ static ngx_int_t
|
|||
ngx_http_gunzip_filter_add_data(ngx_http_request_t *r,
|
||||
ngx_http_gunzip_ctx_t *ctx)
|
||||
{
|
||||
ngx_chain_t *cl;
|
||||
|
||||
if (ctx->zstream.avail_in || ctx->flush != Z_NO_FLUSH || ctx->redo) {
|
||||
return NGX_OK;
|
||||
}
|
||||
|
@ -344,8 +346,11 @@ ngx_http_gunzip_filter_add_data(ngx_http_request_t *r,
|
|||
return NGX_DECLINED;
|
||||
}
|
||||
|
||||
ctx->in_buf = ctx->in->buf;
|
||||
ctx->in = ctx->in->next;
|
||||
cl = ctx->in;
|
||||
ctx->in_buf = cl->buf;
|
||||
ctx->in = cl->next;
|
||||
|
||||
ngx_free_chain(r->pool, cl);
|
||||
|
||||
ctx->zstream.next_in = ctx->in_buf->pos;
|
||||
ctx->zstream.avail_in = ctx->in_buf->last - ctx->in_buf->pos;
|
||||
|
@ -374,6 +379,7 @@ static ngx_int_t
|
|||
ngx_http_gunzip_filter_get_buf(ngx_http_request_t *r,
|
||||
ngx_http_gunzip_ctx_t *ctx)
|
||||
{
|
||||
ngx_chain_t *cl;
|
||||
ngx_http_gunzip_conf_t *conf;
|
||||
|
||||
if (ctx->zstream.avail_out) {
|
||||
|
@ -383,8 +389,12 @@ ngx_http_gunzip_filter_get_buf(ngx_http_request_t *r,
|
|||
conf = ngx_http_get_module_loc_conf(r, ngx_http_gunzip_filter_module);
|
||||
|
||||
if (ctx->free) {
|
||||
ctx->out_buf = ctx->free->buf;
|
||||
ctx->free = ctx->free->next;
|
||||
|
||||
cl = ctx->free;
|
||||
ctx->out_buf = cl->buf;
|
||||
ctx->free = cl->next;
|
||||
|
||||
ngx_free_chain(r->pool, cl);
|
||||
|
||||
ctx->out_buf->flush = 0;
|
||||
|
||||
|
|
|
@ -516,8 +516,10 @@ ngx_http_gzip_filter_memory(ngx_http_request_t *r, ngx_http_gzip_ctx_t *ctx)
|
|||
/*
|
||||
* Another zlib variant, https://github.com/zlib-ng/zlib-ng.
|
||||
* It used to force window bits to 13 for fast compression level,
|
||||
* uses (64 + sizeof(void*)) additional space on all allocations
|
||||
* for alignment, 16-byte padding in one of window-sized buffers,
|
||||
* used (64 + sizeof(void*)) additional space on all allocations
|
||||
* for alignment and 16-byte padding in one of window-sized buffers,
|
||||
* uses a single allocation with up to 200 bytes for alignment and
|
||||
* internal pointers, 5/4 times more memory for the pending buffer,
|
||||
* and 128K hash.
|
||||
*/
|
||||
|
||||
|
@ -526,7 +528,7 @@ ngx_http_gzip_filter_memory(ngx_http_request_t *r, ngx_http_gzip_ctx_t *ctx)
|
|||
}
|
||||
|
||||
ctx->allocated = 8192 + 16 + (1 << (wbits + 2))
|
||||
+ 131072 + (1 << (memlevel + 8))
|
||||
+ 131072 + (5 << (memlevel + 6))
|
||||
+ 4 * (64 + sizeof(void*));
|
||||
ctx->zlib_ng = 1;
|
||||
}
|
||||
|
@ -985,10 +987,14 @@ static void
|
|||
ngx_http_gzip_filter_free_copy_buf(ngx_http_request_t *r,
|
||||
ngx_http_gzip_ctx_t *ctx)
|
||||
{
|
||||
ngx_chain_t *cl;
|
||||
ngx_chain_t *cl, *ln;
|
||||
|
||||
for (cl = ctx->copied; cl; cl = cl->next) {
|
||||
ngx_pfree(r->pool, cl->buf->start);
|
||||
for (cl = ctx->copied; cl; /* void */) {
|
||||
ln = cl;
|
||||
cl = cl->next;
|
||||
|
||||
ngx_pfree(r->pool, ln->buf->start);
|
||||
ngx_free_chain(r->pool, ln);
|
||||
}
|
||||
|
||||
ctx->copied = NULL;
|
||||
|
|
|
@ -3099,7 +3099,8 @@ static ngx_int_t
|
|||
ngx_http_mp4_crop_stsc_data(ngx_http_mp4_file_t *mp4,
|
||||
ngx_http_mp4_trak_t *trak, ngx_uint_t start)
|
||||
{
|
||||
uint32_t start_sample, chunk, samples, id, next_chunk, n,
|
||||
uint64_t n;
|
||||
uint32_t start_sample, chunk, samples, id, next_chunk,
|
||||
prev_samples;
|
||||
ngx_buf_t *data, *buf;
|
||||
ngx_uint_t entries, target_chunk, chunk_samples;
|
||||
|
@ -3155,12 +3156,19 @@ ngx_http_mp4_crop_stsc_data(ngx_http_mp4_file_t *mp4,
|
|||
|
||||
next_chunk = ngx_mp4_get_32value(entry->chunk);
|
||||
|
||||
if (next_chunk < chunk) {
|
||||
ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
|
||||
"unordered mp4 stsc chunks in \"%s\"",
|
||||
mp4->file.name.data);
|
||||
return NGX_ERROR;
|
||||
}
|
||||
|
||||
ngx_log_debug5(NGX_LOG_DEBUG_HTTP, mp4->file.log, 0,
|
||||
"sample:%uD, chunk:%uD, chunks:%uD, "
|
||||
"samples:%uD, id:%uD",
|
||||
start_sample, chunk, next_chunk - chunk, samples, id);
|
||||
|
||||
n = (next_chunk - chunk) * samples;
|
||||
n = (uint64_t) (next_chunk - chunk) * samples;
|
||||
|
||||
if (start_sample < n) {
|
||||
goto found;
|
||||
|
@ -3168,7 +3176,10 @@ ngx_http_mp4_crop_stsc_data(ngx_http_mp4_file_t *mp4,
|
|||
|
||||
start_sample -= n;
|
||||
|
||||
prev_samples = samples;
|
||||
if (next_chunk > chunk) {
|
||||
prev_samples = samples;
|
||||
}
|
||||
|
||||
chunk = next_chunk;
|
||||
samples = ngx_mp4_get_32value(entry->samples);
|
||||
id = ngx_mp4_get_32value(entry->id);
|
||||
|
@ -3178,11 +3189,18 @@ ngx_http_mp4_crop_stsc_data(ngx_http_mp4_file_t *mp4,
|
|||
|
||||
next_chunk = trak->chunks + 1;
|
||||
|
||||
if (next_chunk < chunk) {
|
||||
ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
|
||||
"unordered mp4 stsc chunks in \"%s\"",
|
||||
mp4->file.name.data);
|
||||
return NGX_ERROR;
|
||||
}
|
||||
|
||||
ngx_log_debug4(NGX_LOG_DEBUG_HTTP, mp4->file.log, 0,
|
||||
"sample:%uD, chunk:%uD, chunks:%uD, samples:%uD",
|
||||
start_sample, chunk, next_chunk - chunk, samples);
|
||||
|
||||
n = (next_chunk - chunk) * samples;
|
||||
n = (uint64_t) (next_chunk - chunk) * samples;
|
||||
|
||||
if (start_sample > n) {
|
||||
ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
|
||||
|
@ -3203,6 +3221,12 @@ found:
|
|||
return NGX_ERROR;
|
||||
}
|
||||
|
||||
if (chunk == 0) {
|
||||
ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0,
|
||||
"zero chunk in \"%s\"", mp4->file.name.data);
|
||||
return NGX_ERROR;
|
||||
}
|
||||
|
||||
target_chunk = chunk - 1;
|
||||
target_chunk += start_sample / samples;
|
||||
chunk_samples = start_sample % samples;
|
||||
|
|
|
@ -482,9 +482,13 @@ ngx_http_ssi_body_filter(ngx_http_request_t *r, ngx_chain_t *in)
|
|||
while (ctx->in || ctx->buf) {
|
||||
|
||||
if (ctx->buf == NULL) {
|
||||
ctx->buf = ctx->in->buf;
|
||||
ctx->in = ctx->in->next;
|
||||
|
||||
cl = ctx->in;
|
||||
ctx->buf = cl->buf;
|
||||
ctx->in = cl->next;
|
||||
ctx->pos = ctx->buf->pos;
|
||||
|
||||
ngx_free_chain(r->pool, cl);
|
||||
}
|
||||
|
||||
if (ctx->state == ssi_start_state) {
|
||||
|
|
|
@ -335,9 +335,13 @@ ngx_http_sub_body_filter(ngx_http_request_t *r, ngx_chain_t *in)
|
|||
while (ctx->in || ctx->buf) {
|
||||
|
||||
if (ctx->buf == NULL) {
|
||||
ctx->buf = ctx->in->buf;
|
||||
ctx->in = ctx->in->next;
|
||||
|
||||
cl = ctx->in;
|
||||
ctx->buf = cl->buf;
|
||||
ctx->in = cl->next;
|
||||
ctx->pos = ctx->buf->pos;
|
||||
|
||||
ngx_free_chain(r->pool, cl);
|
||||
}
|
||||
|
||||
if (ctx->buf->flush || ctx->buf->recycled) {
|
||||
|
|
|
@ -932,6 +932,31 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)
|
|||
goto done;
|
||||
}
|
||||
|
||||
sscf = ngx_http_get_module_srv_conf(cscf->ctx, ngx_http_ssl_module);
|
||||
|
||||
#if (defined TLS1_3_VERSION \
|
||||
&& !defined LIBRESSL_VERSION_NUMBER && !defined OPENSSL_IS_BORINGSSL)
|
||||
|
||||
/*
|
||||
* SSL_SESSION_get0_hostname() is only available in OpenSSL 1.1.1+,
|
||||
* but servername being negotiated in every TLSv1.3 handshake
|
||||
* is only returned in OpenSSL 1.1.1+ as well
|
||||
*/
|
||||
|
||||
if (sscf->verify) {
|
||||
const char *hostname;
|
||||
|
||||
hostname = SSL_SESSION_get0_hostname(SSL_get0_session(ssl_conn));
|
||||
|
||||
if (hostname != NULL && ngx_strcmp(hostname, servername) != 0) {
|
||||
c->ssl->handshake_rejected = 1;
|
||||
*ad = SSL_AD_ACCESS_DENIED;
|
||||
return SSL_TLSEXT_ERR_ALERT_FATAL;
|
||||
}
|
||||
}
|
||||
|
||||
#endif
|
||||
|
||||
hc->ssl_servername = ngx_palloc(c->pool, sizeof(ngx_str_t));
|
||||
if (hc->ssl_servername == NULL) {
|
||||
goto error;
|
||||
|
@ -945,8 +970,6 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)
|
|||
|
||||
ngx_set_connection_log(c, clcf->error_log);
|
||||
|
||||
sscf = ngx_http_get_module_srv_conf(hc->conf_ctx, ngx_http_ssl_module);
|
||||
|
||||
c->ssl->buffer_size = sscf->buffer_size;
|
||||
|
||||
if (sscf->ssl.ctx) {
|
||||
|
|
|
@ -810,6 +810,7 @@ ngx_http_v3_parse_field_lri(ngx_connection_t *c,
|
|||
|
||||
st->literal.length = st->pint.value;
|
||||
if (st->literal.length == 0) {
|
||||
st->value.data = (u_char *) "";
|
||||
goto done;
|
||||
}
|
||||
|
||||
|
@ -932,6 +933,7 @@ ngx_http_v3_parse_field_l(ngx_connection_t *c,
|
|||
|
||||
st->literal.length = st->pint.value;
|
||||
if (st->literal.length == 0) {
|
||||
st->value.data = (u_char *) "";
|
||||
goto done;
|
||||
}
|
||||
|
||||
|
@ -1072,6 +1074,7 @@ ngx_http_v3_parse_field_lpbi(ngx_connection_t *c,
|
|||
|
||||
st->literal.length = st->pint.value;
|
||||
if (st->literal.length == 0) {
|
||||
st->value.data = (u_char *) "";
|
||||
goto done;
|
||||
}
|
||||
|
||||
|
|
|
@ -134,7 +134,17 @@ ngx_http_v3_init(ngx_connection_t *c)
|
|||
}
|
||||
}
|
||||
|
||||
return ngx_http_v3_send_settings(c);
|
||||
if (ngx_http_v3_send_settings(c) != NGX_OK) {
|
||||
return NGX_ERROR;
|
||||
}
|
||||
|
||||
if (h3scf->max_table_capacity > 0) {
|
||||
if (ngx_http_v3_get_uni_stream(c, NGX_HTTP_V3_STREAM_DECODER) == NULL) {
|
||||
return NGX_ERROR;
|
||||
}
|
||||
}
|
||||
|
||||
return NGX_OK;
|
||||
}
|
||||
|
||||
|
||||
|
@ -398,14 +408,12 @@ ngx_http_v3_wait_request_handler(ngx_event_t *rev)
|
|||
void
|
||||
ngx_http_v3_reset_stream(ngx_connection_t *c)
|
||||
{
|
||||
ngx_http_v3_session_t *h3c;
|
||||
ngx_http_v3_srv_conf_t *h3scf;
|
||||
|
||||
h3scf = ngx_http_v3_get_module_srv_conf(c, ngx_http_v3_module);
|
||||
ngx_http_v3_session_t *h3c;
|
||||
|
||||
h3c = ngx_http_v3_get_session(c);
|
||||
|
||||
if (h3scf->max_table_capacity > 0 && !c->read->eof && !h3c->hq
|
||||
if (!c->read->eof && !h3c->hq
|
||||
&& h3c->known_streams[NGX_HTTP_V3_STREAM_SERVER_DECODER]
|
||||
&& (c->quic->id & NGX_QUIC_STREAM_UNIDIRECTIONAL) == 0)
|
||||
{
|
||||
(void) ngx_http_v3_send_cancel_stream(c, c->quic->id);
|
||||
|
|
|
@ -308,7 +308,7 @@ ngx_http_v3_set_capacity(ngx_connection_t *c, ngx_uint_t capacity)
|
|||
prev_max = dt->capacity / 32;
|
||||
|
||||
if (max > prev_max) {
|
||||
elts = ngx_alloc(max * sizeof(void *), c->log);
|
||||
elts = ngx_alloc((max + 1) * sizeof(void *), c->log);
|
||||
if (elts == NULL) {
|
||||
return NGX_ERROR;
|
||||
}
|
||||
|
|
|
@ -20,8 +20,6 @@ static void ngx_http_v3_close_uni_stream(ngx_connection_t *c);
|
|||
static void ngx_http_v3_uni_read_handler(ngx_event_t *rev);
|
||||
static void ngx_http_v3_uni_dummy_read_handler(ngx_event_t *wev);
|
||||
static void ngx_http_v3_uni_dummy_write_handler(ngx_event_t *wev);
|
||||
static ngx_connection_t *ngx_http_v3_get_uni_stream(ngx_connection_t *c,
|
||||
ngx_uint_t type);
|
||||
|
||||
|
||||
void
|
||||
|
@ -307,7 +305,7 @@ ngx_http_v3_uni_dummy_write_handler(ngx_event_t *wev)
|
|||
}
|
||||
|
||||
|
||||
static ngx_connection_t *
|
||||
ngx_connection_t *
|
||||
ngx_http_v3_get_uni_stream(ngx_connection_t *c, ngx_uint_t type)
|
||||
{
|
||||
u_char buf[NGX_HTTP_V3_VARLEN_INT_LEN];
|
||||
|
|
|
@ -19,6 +19,8 @@ ngx_int_t ngx_http_v3_register_uni_stream(ngx_connection_t *c, uint64_t type);
|
|||
|
||||
ngx_int_t ngx_http_v3_cancel_stream(ngx_connection_t *c, ngx_uint_t stream_id);
|
||||
|
||||
ngx_connection_t *ngx_http_v3_get_uni_stream(ngx_connection_t *c,
|
||||
ngx_uint_t type);
|
||||
ngx_int_t ngx_http_v3_send_settings(ngx_connection_t *c);
|
||||
ngx_int_t ngx_http_v3_send_goaway(ngx_connection_t *c, uint64_t id);
|
||||
ngx_int_t ngx_http_v3_send_ack_section(ngx_connection_t *c,
|
||||
|
|
|
@ -521,12 +521,35 @@ ngx_stream_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)
|
|||
goto done;
|
||||
}
|
||||
|
||||
sscf = ngx_stream_get_module_srv_conf(cscf->ctx, ngx_stream_ssl_module);
|
||||
|
||||
#if (defined TLS1_3_VERSION \
|
||||
&& !defined LIBRESSL_VERSION_NUMBER && !defined OPENSSL_IS_BORINGSSL)
|
||||
|
||||
/*
|
||||
* SSL_SESSION_get0_hostname() is only available in OpenSSL 1.1.1+,
|
||||
* but servername being negotiated in every TLSv1.3 handshake
|
||||
* is only returned in OpenSSL 1.1.1+ as well
|
||||
*/
|
||||
|
||||
if (sscf->verify) {
|
||||
const char *hostname;
|
||||
|
||||
hostname = SSL_SESSION_get0_hostname(SSL_get0_session(ssl_conn));
|
||||
|
||||
if (hostname != NULL && ngx_strcmp(hostname, servername) != 0) {
|
||||
c->ssl->handshake_rejected = 1;
|
||||
*ad = SSL_AD_ACCESS_DENIED;
|
||||
return SSL_TLSEXT_ERR_ALERT_FATAL;
|
||||
}
|
||||
}
|
||||
|
||||
#endif
|
||||
|
||||
s->srv_conf = cscf->ctx->srv_conf;
|
||||
|
||||
ngx_set_connection_log(c, cscf->error_log);
|
||||
|
||||
sscf = ngx_stream_get_module_srv_conf(s, ngx_stream_ssl_module);
|
||||
|
||||
if (sscf->ssl.ctx) {
|
||||
if (SSL_set_SSL_CTX(ssl_conn, sscf->ssl.ctx) == NULL) {
|
||||
goto error;
|
||||
|
|
Loading…
Reference in New Issue