| Commit message (Collapse) | Author | Age |
|---|
| |
|
|
|
| |
The ngx_http_find_virtual_server() function should return NGX_DECLINED
if virtual server not found.
|
| | |
|
| |
|
|
|
|
|
|
|
| |
Fixed compile-time conditionals used to detect if X-Forwarded-For support
is needed.
Note: compatibility shims were added during merge to avoid possible
breakage of 3rd party modules. At least cache purge module was broken
by the original commit, as it used to rely on NGX_HTTP_PROXY define.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
*) Win32: disallowed access to various non-canonical name variants.
This includes trailings dots and spaces, NTFS streams (and short names, as
previously checked). The checks are now also done in ngx_file_info(), thus
allowing to use the "try_files" directive to protect external scripts.
*) Win32: normalization of trailing dot inside uri.
Windows treats "/directory./" identical to "/directory/". Do the same
when working on Windows. Note that the behaviour is different from one
with last path component (where multiple spaces and dots are ignored by
Windows).
*) Win32: uris with ":$" are now rejected.
There are too many problems with special NTFS streams, notably "::$data",
"::$index_allocation" and ":$i30:$index_allocation".
For now we don't reject all URIs with ":" like Apache does as there are no
good reasons seen yet, and there are multiple programs using it in URLs
(e.g. MediaWiki).
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
*) Fixed possible request hang with filter finalization.
With r->filter_finalize set the ngx_http_finalize_connection() wasn't
called from ngx_http_finalize_request() called with NGX_OK, resulting in
r->main->count not being decremented, thus causing request hang in some
rare situations.
Patch by Yichun Zhang (agentzh).
*) Fixed segfault with filter_finalize introduced in r4621 (1.3.0).
See the following thread for more details:
http://mailman.nginx.org/pipermail/nginx-devel/2012-May/002190.html
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
The problem doesn't affect non-Apple systems for sure, and many pretend
to be Safari now.
Prodded by Piotr Sikora.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Now redirects to named locations are counted against normal uri changes
limit, and post_action respects this limit as well. As a result at least
the following (bad) configurations no longer trigger infinite cycles:
1. Post action which recursively triggers post action:
location / {
post_action /index.html;
}
2. Post action pointing to nonexistent named location:
location / {
post_action @nonexistent;
}
3. Recursive error page for 500 (Internal Server Error) pointing to
a nonexistent named location:
location / {
recursive_error_pages on;
error_page 500 @nonexistent;
return 500;
}
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Without the protection, subrequest loop results in r->count overflow and
SIGSEGV. Protection was broken in 0.7.25.
Note that this also limits number of parallel subrequests. This
wasn't exactly the case before 0.7.25 as local subrequests were
completed directly.
See here for details:
http://nginx.org/pipermail/nginx-ru/2010-February/032184.html
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Additional parsing logic added to correctly handle RFC 3986 compliant IPv6 and
IPvFuture characters enclosed in square brackets.
The host validation was completely rewritten. The behavior for non IP literals
was changed in a more proper and safer way:
- Host part is now delimited either by the first colon or by the end of string
if there's no colon. Previously the last colon was used as delimiter which
allowed substitution of a port number in the $host variable.
(e.g. Host: 127.0.0.1:9000:80)
- Fixed stripping of the ending dot in the Host header when the host was also
followed by a port number.
(e.g. Host: nginx.com.:80)
- Fixed upper case characters detection. Previously it was broken which led to
wasting memory and CPU.
|
| |
|
|
|
|
| |
Non-default servers may not have ssl context created if there are no
certificate defined. Make sure to check if ssl context present before
using it.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Second aio post happened when timer set by limit_rate expired while we have
aio request in flight, resulting in "second aio post" alert and socket leak.
The patch adds actual protection from aio calls with r->aio already set to
aio sendfile code in ngx_http_copy_filter(). This should fix other cases
as well, e.g. when sending buffered to disk upstream replies while still
talking to upstream.
The ngx_http_writer() is also fixed to handle the above case (though it's
mostly optimization now).
Reported by Oleksandr V. Typlyns'kyi.
|
| |
|
|
|
| |
Connections serving content with AIO to fast clients were dropped with
"client timed out" messages after send_timeout from response start.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
SSL_set_SSL_CTX() doesn't touch values cached within ssl connection
structure, it only changes certificates (at least as of now, OpenSSL
1.0.0d and earlier).
As a result settings like ssl_verify_client, ssl_verify_depth,
ssl_prefer_server_ciphers are only configurable on per-socket basis while
with SNI it should be possible to specify them different for two servers
listening on the same socket.
Workaround is to explicitly re-apply settings we care about from context
to ssl connection in servername callback.
Note that SSL_clear_options() is only available in OpenSSL 0.9.8m+. I.e.
with older versions it is not possible to clear ssl_prefer_server_ciphers
option if it's set in default server for a socket.
|
| |
|
|
|
|
| |
when request for static file is redirected by error_page to an SSI page
patch by Maxim Dounin
|
| |
|
|
| |
patch by Maxim Dounin
|
| |
|
|
|
|
| |
if reset_timedout_connection is on
patch by Maxim Dounin
|
| |
|
|
| |
patch by Maxim Dounin
|
| | |
|
| |
|
|
| |
patch by Maxim Dounin
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
https://bugs.webkit.org/show_bug.cgi?id=5760
|
| | |
|
| |
|
|
|
|
| |
runs ngx_http_core_run_phases(), and starts a request processing again.
The write event has clear type and remained in a keepalive connection.
The bug was introduced in r3050.
|
| | |
|
| | |
|
| |
|
|
| |
and a request line fills it completely
|
| |
|
|
| |
the bug had been introduced in r2196
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Initially building lists of ports, addresses, and server names had been
placed at final configuration stage, because complete set of the "listen"s
and the "server_names" were required for this operation. r3218 broke it,
because the "listen"s go usually first in configuration, and
cscf->server_names is empty at this stage, therefore no virtual names
were configured.
Now server configurations are stored in array for each address:port
to configure virtual names. Also regex captures flag is moved from
server names to core server configuration.
|
| |
|
|
| |
disables incomplete ngx_http_writer()
|
| | |
|
| |
|
|
| |
ngx_http_test_reading(), the bug was introduced in r3050
|
| |
|
|
| |
discarded, the bug was introduced in r3050
|
| |
|
|
| |
ngx_http_set_keepalive() while request cleanup
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
*) move low case convertation from ngx_http_find_virtual_server()
to ngx_http_validate_host()
*) add in ngx_http_validate_host() capability to copy host name in the pool
allocated memory
|
| | |
|
| | |
|
| |
|
|
| |
*) use preallocated terminal_posted_request
|
| | |
|
| | |
|
