diff options
| author | Igor Sysoev <igor@sysoev.ru> | 2007-07-17 10:02:00 +0000 |
|---|---|---|
| committer | Jonathan Kolb <jon@b0g.us> | 2007-07-17 10:02:00 +0000 |
| commit | 95603f1dd5ef16f8e492927f399b1ce25ed4264f (patch) | |
| tree | c7d2150151460d5fbc3e839203e776f26223a282 | |
| parent | afcc42e81ad255426aa89ccf01786b19a5230b08 (diff) | |
| download | nginx-0.5.28.tar.gz | |
Changes with nginx 0.5.28 17 Jun 2007v0.5.28
*) Security: the "msie_refresh" directive allowed XSS.
*) Bugfix: a segmentation fault might occur in worker process if the
"auth_http_header" directive was used.
Thanks to Maxim Dounin.
*) Bugfix: a segmentation fault occurred in worker process if the
CRAM-MD5 authentication method was used, but it was not enabled.
*) Bugfix: a segmentation fault might occur in worker process if the
eventport method was used.
| -rw-r--r-- | CHANGES | 17 | ||||
| -rw-r--r-- | CHANGES.ru | 16 | ||||
| -rw-r--r-- | src/core/nginx.c | 4 | ||||
| -rw-r--r-- | src/core/nginx.h | 2 | ||||
| -rw-r--r-- | src/core/ngx_string.c | 36 | ||||
| -rw-r--r-- | src/core/ngx_string.h | 1 | ||||
| -rw-r--r-- | src/event/modules/ngx_eventport_module.c | 4 | ||||
| -rw-r--r-- | src/http/modules/ngx_http_dav_module.c | 4 | ||||
| -rw-r--r-- | src/http/modules/perl/nginx.pm | 2 | ||||
| -rw-r--r-- | src/http/ngx_http_request_body.c | 1 | ||||
| -rw-r--r-- | src/http/ngx_http_special_response.c | 24 | ||||
| -rw-r--r-- | src/mail/ngx_mail_auth_http_module.c | 1 | ||||
| -rw-r--r-- | src/mail/ngx_mail_handler.c | 13 |
13 files changed, 100 insertions, 25 deletions
@@ -1,4 +1,19 @@ +Changes with nginx 0.5.28 17 Jun 2007 + + *) Security: the "msie_refresh" directive allowed XSS. + + *) Bugfix: a segmentation fault might occur in worker process if the + "auth_http_header" directive was used. + Thanks to Maxim Dounin. + + *) Bugfix: a segmentation fault occurred in worker process if the + CRAM-MD5 authentication method was used, but it was not enabled. + + *) Bugfix: a segmentation fault might occur in worker process if the + eventport method was used. + + Changes with nginx 0.5.27 09 Jul 2007 *) Bugfix: if remote SSI subrequest was used, then posterior local file @@ -215,7 +230,7 @@ Changes with nginx 0.5.13 19 Feb 2007 send timeout only. *) Bugfix: nginx could not be built on platforms different from i386, - amd64, sparc и ppc; bug appeared in 0.5.8. + amd64, sparc and ppc; bug appeared in 0.5.8. Changes with nginx 0.5.12 12 Feb 2007 diff --git a/CHANGES.ru b/CHANGES.ru index 035cfc252..88ebc4f3d 100644 --- a/CHANGES.ru +++ b/CHANGES.ru @@ -1,4 +1,20 @@ +Изменения в nginx 0.5.28 17.06.2007 + + *) Безопасность: при использовании директивы msie_refresh был возможен + XSS. + + *) Исправление: при использовании директивы auth_http_header в рабочем + процессе мог произойти segmentation fault. + Спасибо Максиму Дунину. + + *) Исправление: если использовался метод аутентификации CRAM-MD5, но он + не был разрешён, то в рабочем процессе происходил segmentation fault. + + *) Исправление: в рабочем процессе мог произойти segmentation fault, + если использовался метод eventport. + + Изменения в nginx 0.5.27 09.07.2007 *) Исправление: при использовании удалённого подзапроса в SSI diff --git a/src/core/nginx.c b/src/core/nginx.c index 357b1b9cd..df6c72cfd 100644 --- a/src/core/nginx.c +++ b/src/core/nginx.c @@ -796,6 +796,7 @@ ngx_core_module_init_conf(ngx_cycle_t *cycle, void *conf) if (ccf->user == (uid_t) NGX_CONF_UNSET_UINT && geteuid() == 0) { + ngx_set_errno(0); pwd = getpwnam(NGX_USER); if (pwd == NULL) { ngx_log_error(NGX_LOG_EMERG, cycle->log, ngx_errno, @@ -806,6 +807,7 @@ ngx_core_module_init_conf(ngx_cycle_t *cycle, void *conf) ccf->username = NGX_USER; ccf->user = pwd->pw_uid; + ngx_set_errno(0); grp = getgrnam(NGX_GROUP); if (grp == NULL) { ngx_log_error(NGX_LOG_EMERG, cycle->log, ngx_errno, @@ -920,6 +922,7 @@ ngx_set_user(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) ccf->username = (char *) value[1].data; + ngx_set_errno(0); pwd = getpwnam((const char *) value[1].data); if (pwd == NULL) { ngx_conf_log_error(NGX_LOG_EMERG, cf, ngx_errno, @@ -931,6 +934,7 @@ ngx_set_user(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) group = (char *) ((cf->args->nelts == 2) ? value[1].data : value[2].data); + ngx_set_errno(0); grp = getgrnam(group); if (grp == NULL) { ngx_conf_log_error(NGX_LOG_EMERG, cf, ngx_errno, diff --git a/src/core/nginx.h b/src/core/nginx.h index 7507acec1..3e74291ad 100644 --- a/src/core/nginx.h +++ b/src/core/nginx.h @@ -8,7 +8,7 @@ #define _NGINX_H_INCLUDED_ -#define NGINX_VERSION "0.5.27" +#define NGINX_VERSION "0.5.28" #define NGINX_VER "nginx/" NGINX_VERSION #define NGINX_VAR "NGINX" diff --git a/src/core/ngx_string.c b/src/core/ngx_string.c index 7b5287f0a..29dc39f5a 100644 --- a/src/core/ngx_string.c +++ b/src/core/ngx_string.c @@ -1025,7 +1025,7 @@ ngx_escape_uri(u_char *dst, u_char *src, size_t size, ngx_uint_t type) 0xffffffff, /* 1111 1111 1111 1111 1111 1111 1111 1111 */ /* ?>=< ;:98 7654 3210 /.-, +*)( '&%$ #"! */ - 0x800000ad, /* 0000 0000 0000 0000 0000 0000 1010 1101 */ + 0x000000ad, /* 0000 0000 0000 0000 0000 0000 1010 1101 */ /* _^]\ [ZYX WVUT SRQP ONML KJIH GFED CBA@ */ 0x00000000, /* 0000 0000 0000 0000 0000 0000 0000 0000 */ @@ -1039,18 +1039,30 @@ ngx_escape_uri(u_char *dst, u_char *src, size_t size, ngx_uint_t type) 0xffffffff /* 1111 1111 1111 1111 1111 1111 1111 1111 */ }; + /* " ", """, "'", %00-%1F, %7F-%FF */ - switch (type) { - case NGX_ESCAPE_HTML: - escape = html; - break; - case NGX_ESCAPE_ARGS: - escape = args; - break; - default: - escape = uri; - break; - } + static uint32_t refresh[] = { + 0xffffffff, /* 1111 1111 1111 1111 1111 1111 1111 1111 */ + + /* ?>=< ;:98 7654 3210 /.-, +*)( '&%$ #"! */ + 0x00000085, /* 0000 0000 0000 0000 0000 0000 1000 0101 */ + + /* _^]\ [ZYX WVUT SRQP ONML KJIH GFED CBA@ */ + 0x00000000, /* 0000 0000 0000 0000 0000 0000 0000 0000 */ + + /* ~}| {zyx wvut srqp onml kjih gfed cba` */ + 0x80000000, /* 1000 0000 0000 0000 0000 0000 0000 0000 */ + + 0xffffffff, /* 1111 1111 1111 1111 1111 1111 1111 1111 */ + 0xffffffff, /* 1111 1111 1111 1111 1111 1111 1111 1111 */ + 0xffffffff, /* 1111 1111 1111 1111 1111 1111 1111 1111 */ + 0xffffffff /* 1111 1111 1111 1111 1111 1111 1111 1111 */ + }; + + static uint32_t *map[] = { uri, args, html, refresh }; + + + escape = map[type]; if (dst == NULL) { diff --git a/src/core/ngx_string.h b/src/core/ngx_string.h index 18306d2d2..6b432d1f2 100644 --- a/src/core/ngx_string.h +++ b/src/core/ngx_string.h @@ -142,6 +142,7 @@ u_char *ngx_utf_cpystrn(u_char *dst, u_char *src, size_t n); #define NGX_ESCAPE_URI 0 #define NGX_ESCAPE_ARGS 1 #define NGX_ESCAPE_HTML 2 +#define NGX_ESCAPE_REFRESH 3 #define NGX_UNESCAPE_URI 1 diff --git a/src/event/modules/ngx_eventport_module.c b/src/event/modules/ngx_eventport_module.c index bd046edbb..0abb2eec1 100644 --- a/src/event/modules/ngx_eventport_module.c +++ b/src/event/modules/ngx_eventport_module.c @@ -514,6 +514,10 @@ ngx_eventport_process_events(ngx_cycle_t *cycle, ngx_msec_t timer, } else { rev->handler(rev); + + if (ev->closed) { + continue; + } } if (rev->accept) { diff --git a/src/http/modules/ngx_http_dav_module.c b/src/http/modules/ngx_http_dav_module.c index 9fab59bf7..5539f6195 100644 --- a/src/http/modules/ngx_http_dav_module.c +++ b/src/http/modules/ngx_http_dav_module.c @@ -239,9 +239,7 @@ ngx_http_dav_put_handler(ngx_http_request_t *r) #if !(NGX_WIN32) - if (ngx_change_file_access(temp->data, dlcf->access) - == NGX_FILE_ERROR) - { + if (ngx_change_file_access(temp->data, dlcf->access) == NGX_FILE_ERROR) { err = ngx_errno; not_found = NGX_HTTP_INTERNAL_SERVER_ERROR; failed = ngx_change_file_access_n; diff --git a/src/http/modules/perl/nginx.pm b/src/http/modules/perl/nginx.pm index f59fd4377..30e31aa23 100644 --- a/src/http/modules/perl/nginx.pm +++ b/src/http/modules/perl/nginx.pm @@ -47,7 +47,7 @@ our @EXPORT = qw( HTTP_INSUFFICIENT_STORAGE ); -our $VERSION = '0.5.27'; +our $VERSION = '0.5.28'; require XSLoader; XSLoader::load('nginx', $VERSION); diff --git a/src/http/ngx_http_request_body.c b/src/http/ngx_http_request_body.c index bfdc8e443..494f48416 100644 --- a/src/http/ngx_http_request_body.c +++ b/src/http/ngx_http_request_body.c @@ -88,6 +88,7 @@ ngx_http_read_client_request_body(ngx_http_request_t *r, } post_handler(r); + return NGX_OK; } diff --git a/src/http/ngx_http_special_response.c b/src/http/ngx_http_special_response.c index bb72079a9..2598116f7 100644 --- a/src/http/ngx_http_special_response.c +++ b/src/http/ngx_http_special_response.c @@ -315,6 +315,7 @@ ngx_http_special_response_handler(ngx_http_request_t *r, ngx_int_t error) { u_char *p; size_t msie_refresh; + uintptr_t escape; ngx_int_t rc; ngx_buf_t *b; ngx_str_t *uri, *location; @@ -496,17 +497,19 @@ ngx_http_special_response_handler(ngx_http_request_t *r, ngx_int_t error) r->headers_out.content_length = NULL; } - msie_refresh = 0; - location = NULL; - if (clcf->msie_refresh && r->headers_in.msie && (error == NGX_HTTP_MOVED_PERMANENTLY || error == NGX_HTTP_MOVED_TEMPORARILY)) { + location = &r->headers_out.location->value; + + escape = 2 * ngx_escape_uri(NULL, location->data, location->len, + NGX_ESCAPE_REFRESH); + msie_refresh = sizeof(ngx_http_msie_refresh_head) - 1 - + location->len + + escape + location->len + sizeof(ngx_http_msie_refresh_tail) - 1; r->err_status = NGX_HTTP_OK; @@ -514,6 +517,11 @@ ngx_http_special_response_handler(ngx_http_request_t *r, ngx_int_t error) r->headers_out.content_length_n = msie_refresh; r->headers_out.location->hash = 0; r->headers_out.location = NULL; + + } else { + location = NULL; + escape = 0; + msie_refresh = 0; } ngx_http_clear_accept_ranges(r); @@ -595,7 +603,13 @@ ngx_http_special_response_handler(ngx_http_request_t *r, ngx_int_t error) p = ngx_cpymem(b->pos, ngx_http_msie_refresh_head, sizeof(ngx_http_msie_refresh_head) - 1); - p = ngx_cpymem(p, location->data, location->len); + if (escape == 0) { + p = ngx_cpymem(p, location->data, location->len); + + } else { + p = (u_char *) ngx_escape_uri(p, location->data, location->len, + NGX_ESCAPE_REFRESH); + } b->last = ngx_cpymem(p, ngx_http_msie_refresh_tail, sizeof(ngx_http_msie_refresh_tail) - 1); diff --git a/src/mail/ngx_mail_auth_http_module.c b/src/mail/ngx_mail_auth_http_module.c index 8028c957a..c7e0fc038 100644 --- a/src/mail/ngx_mail_auth_http_module.c +++ b/src/mail/ngx_mail_auth_http_module.c @@ -1169,6 +1169,7 @@ ngx_mail_auth_http_create_request(ngx_mail_session_t *s, ngx_pool_t *pool, + sizeof(CRLF) - 1 + sizeof("Client-IP: ") - 1 + s->connection->addr_text.len + sizeof(CRLF) - 1 + + ahcf->header.len + sizeof(CRLF) - 1; b = ngx_create_temp_buf(pool, len); diff --git a/src/mail/ngx_mail_handler.c b/src/mail/ngx_mail_handler.c index e41983248..8fee001bb 100644 --- a/src/mail/ngx_mail_handler.c +++ b/src/mail/ngx_mail_handler.c @@ -708,7 +708,10 @@ ngx_pop3_auth_state(ngx_event_t *rev) (u_char *) "CRAM-MD5", 8) == 0) { - if (s->args.nelts != 1) { + if (!(cscf->pop3_auth_methods + & NGX_MAIL_AUTH_CRAM_MD5_ENABLED) + || s->args.nelts != 1) + { rc = NGX_MAIL_PARSE_INVALID_COMMAND; break; } @@ -1368,7 +1371,13 @@ ngx_smtp_auth_state(ngx_event_t *rev) (u_char *) "CRAM-MD5", 8) == 0) { - if (s->args.nelts != 1) { + cscf = ngx_mail_get_module_srv_conf(s, + ngx_mail_core_module); + + if (!(cscf->smtp_auth_methods + & NGX_MAIL_AUTH_CRAM_MD5_ENABLED) + || s->args.nelts != 1) + { rc = NGX_MAIL_PARSE_INVALID_COMMAND; break; } |