diff options
author | nginx <nginx@nginx.org> | 2014-03-04 15:19:17 +0000 |
---|---|---|
committer | Jon Kolb <kolbyjack@gmail.com> | 2014-03-04 15:19:17 +0000 |
commit | 433c60ea060aa4be99c69bde2eda030f920c97ee (patch) | |
tree | d31cc567211ca28064df284a70c46ee8eec4ef3b /src/http/modules | |
parent | 7906d14d074d8ba13d3a5fe767bfd563a922c687 (diff) | |
download | nginx-433c60ea060aa4be99c69bde2eda030f920c97ee.tar.gz |
Changes with nginx 1.5.11 04 Mar 2014v1.5.11
*) Security: memory corruption might occur in a worker process on 32-bit
platforms while handling a specially crafted request by
ngx_http_spdy_module, potentially resulting in arbitrary code
execution (CVE-2014-0088); the bug had appeared in 1.5.10.
Thanks to Lucas Molas, researcher at Programa STIC, FundaciĆ³n Dr.
Manuel Sadosky, Buenos Aires, Argentina.
*) Feature: the $ssl_session_reused variable.
*) Bugfix: the "client_max_body_size" directive might not work when
reading a request body using chunked transfer encoding; the bug had
appeared in 1.3.9.
Thanks to Lucas Molas.
*) Bugfix: a segmentation fault might occur in a worker process when
proxying WebSocket connections.
*) Bugfix: a segmentation fault might occur in a worker process if the
ngx_http_spdy_module was used on 32-bit platforms; the bug had
appeared in 1.5.10.
*) Bugfix: the $upstream_status variable might contain wrong data if the
"proxy_cache_use_stale" or "proxy_cache_revalidate" directives were
used.
Thanks to Piotr Sikora.
*) Bugfix: a segmentation fault might occur in a worker process if
errors with code 400 were redirected to a named location using the
"error_page" directive.
*) Bugfix: nginx/Windows could not be built with Visual Studio 2013.
Diffstat (limited to 'src/http/modules')
-rw-r--r-- | src/http/modules/ngx_http_access_module.c | 6 | ||||
-rw-r--r-- | src/http/modules/ngx_http_fastcgi_module.c | 2 | ||||
-rw-r--r-- | src/http/modules/ngx_http_gzip_static_module.c | 2 | ||||
-rw-r--r-- | src/http/modules/ngx_http_mp4_module.c | 2 | ||||
-rw-r--r-- | src/http/modules/ngx_http_proxy_module.c | 2 | ||||
-rw-r--r-- | src/http/modules/ngx_http_range_filter_module.c | 12 | ||||
-rw-r--r-- | src/http/modules/ngx_http_scgi_module.c | 4 | ||||
-rw-r--r-- | src/http/modules/ngx_http_ssl_module.c | 3 | ||||
-rw-r--r-- | src/http/modules/ngx_http_uwsgi_module.c | 4 |
9 files changed, 24 insertions, 13 deletions
diff --git a/src/http/modules/ngx_http_access_module.c b/src/http/modules/ngx_http_access_module.c index fcee40ca0..c553e4610 100644 --- a/src/http/modules/ngx_http_access_module.c +++ b/src/http/modules/ngx_http_access_module.c @@ -259,7 +259,11 @@ ngx_http_access_unix(ngx_http_request_t *r, ngx_http_access_loc_conf_t *alcf) rule_un = alcf->rules_un->elts; for (i = 0; i < alcf->rules_un->nelts; i++) { - return ngx_http_access_found(r, rule_un[i].deny); + + /* TODO: check path */ + if (1) { + return ngx_http_access_found(r, rule_un[i].deny); + } } return NGX_DECLINED; diff --git a/src/http/modules/ngx_http_fastcgi_module.c b/src/http/modules/ngx_http_fastcgi_module.c index 5bcf6ef8c..24dbbf663 100644 --- a/src/http/modules/ngx_http_fastcgi_module.c +++ b/src/http/modules/ngx_http_fastcgi_module.c @@ -1584,7 +1584,7 @@ ngx_http_fastcgi_process_header(ngx_http_request_t *r) ngx_str_set(&u->headers_in.status_line, "200 OK"); } - if (u->state) { + if (u->state && u->state->status == 0) { u->state->status = u->headers_in.status_n; } diff --git a/src/http/modules/ngx_http_gzip_static_module.c b/src/http/modules/ngx_http_gzip_static_module.c index 6e777619b..1746e5504 100644 --- a/src/http/modules/ngx_http_gzip_static_module.c +++ b/src/http/modules/ngx_http_gzip_static_module.c @@ -38,7 +38,7 @@ static ngx_conf_enum_t ngx_http_gzip_static[] = { static ngx_command_t ngx_http_gzip_static_commands[] = { { ngx_string("gzip_static"), - NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_FLAG, + NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1, ngx_conf_set_enum_slot, NGX_HTTP_LOC_CONF_OFFSET, offsetof(ngx_http_gzip_static_conf_t, enable), diff --git a/src/http/modules/ngx_http_mp4_module.c b/src/http/modules/ngx_http_mp4_module.c index c29ab1ce5..426a0b97f 100644 --- a/src/http/modules/ngx_http_mp4_module.c +++ b/src/http/modules/ngx_http_mp4_module.c @@ -2481,7 +2481,7 @@ ngx_http_mp4_update_stsc_atom(ngx_http_mp4_file_t *mp4, n = (next_chunk - chunk) * samples; - if (start_sample <= n) { + if (start_sample < n) { goto found; } diff --git a/src/http/modules/ngx_http_proxy_module.c b/src/http/modules/ngx_http_proxy_module.c index 93469984c..8ee32f491 100644 --- a/src/http/modules/ngx_http_proxy_module.c +++ b/src/http/modules/ngx_http_proxy_module.c @@ -1362,7 +1362,7 @@ ngx_http_proxy_process_status_line(ngx_http_request_t *r) return NGX_OK; } - if (u->state) { + if (u->state && u->state->status == 0) { u->state->status = ctx->status.code; } diff --git a/src/http/modules/ngx_http_range_filter_module.c b/src/http/modules/ngx_http_range_filter_module.c index 6143a8786..bcc64fd30 100644 --- a/src/http/modules/ngx_http_range_filter_module.c +++ b/src/http/modules/ngx_http_range_filter_module.c @@ -432,7 +432,9 @@ ngx_http_range_multipart_header(ngx_http_request_t *r, + r->headers_out.content_type.len + sizeof(CRLF "Content-Range: bytes ") - 1; - if (r->headers_out.charset.len) { + if (r->headers_out.content_type_len == r->headers_out.content_type.len + && r->headers_out.charset.len) + { len += sizeof("; charset=") - 1 + r->headers_out.charset.len; } @@ -451,7 +453,9 @@ ngx_http_range_multipart_header(ngx_http_request_t *r, * "Content-Range: bytes " */ - if (r->headers_out.charset.len) { + if (r->headers_out.content_type_len == r->headers_out.content_type.len + && r->headers_out.charset.len) + { ctx->boundary_header.len = ngx_sprintf(ctx->boundary_header.data, CRLF "--%0muA" CRLF "Content-Type: %V; charset=%V" CRLF @@ -461,8 +465,6 @@ ngx_http_range_multipart_header(ngx_http_request_t *r, &r->headers_out.charset) - ctx->boundary_header.data; - r->headers_out.charset.len = 0; - } else if (r->headers_out.content_type.len) { ctx->boundary_header.len = ngx_sprintf(ctx->boundary_header.data, CRLF "--%0muA" CRLF @@ -501,6 +503,8 @@ ngx_http_range_multipart_header(ngx_http_request_t *r, r->headers_out.content_type_len = r->headers_out.content_type.len; + r->headers_out.charset.len = 0; + /* the size of the last boundary CRLF "--0123456789--" CRLF */ len = sizeof(CRLF "--") - 1 + NGX_ATOMIC_T_LEN + sizeof("--" CRLF) - 1; diff --git a/src/http/modules/ngx_http_scgi_module.c b/src/http/modules/ngx_http_scgi_module.c index 70f6ac1de..884cb500a 100644 --- a/src/http/modules/ngx_http_scgi_module.c +++ b/src/http/modules/ngx_http_scgi_module.c @@ -885,7 +885,7 @@ ngx_http_scgi_process_status_line(ngx_http_request_t *r) return ngx_http_scgi_process_header(r); } - if (u->state) { + if (u->state && u->state->status == 0) { u->state->status = status->code; } @@ -1013,7 +1013,7 @@ ngx_http_scgi_process_header(ngx_http_request_t *r) ngx_str_set(&u->headers_in.status_line, "200 OK"); } - if (u->state) { + if (u->state && u->state->status == 0) { u->state->status = u->headers_in.status_n; } diff --git a/src/http/modules/ngx_http_ssl_module.c b/src/http/modules/ngx_http_ssl_module.c index df1e55ee9..206f58d25 100644 --- a/src/http/modules/ngx_http_ssl_module.c +++ b/src/http/modules/ngx_http_ssl_module.c @@ -270,6 +270,9 @@ static ngx_http_variable_t ngx_http_ssl_vars[] = { { ngx_string("ssl_session_id"), NULL, ngx_http_ssl_variable, (uintptr_t) ngx_ssl_get_session_id, NGX_HTTP_VAR_CHANGEABLE, 0 }, + { ngx_string("ssl_session_reused"), NULL, ngx_http_ssl_variable, + (uintptr_t) ngx_ssl_get_session_reused, NGX_HTTP_VAR_CHANGEABLE, 0 }, + { ngx_string("ssl_client_cert"), NULL, ngx_http_ssl_variable, (uintptr_t) ngx_ssl_get_certificate, NGX_HTTP_VAR_CHANGEABLE, 0 }, diff --git a/src/http/modules/ngx_http_uwsgi_module.c b/src/http/modules/ngx_http_uwsgi_module.c index f55e606c8..17dfc3b3a 100644 --- a/src/http/modules/ngx_http_uwsgi_module.c +++ b/src/http/modules/ngx_http_uwsgi_module.c @@ -1017,7 +1017,7 @@ ngx_http_uwsgi_process_status_line(ngx_http_request_t *r) return ngx_http_uwsgi_process_header(r); } - if (u->state) { + if (u->state && u->state->status == 0) { u->state->status = status->code; } @@ -1145,7 +1145,7 @@ ngx_http_uwsgi_process_header(ngx_http_request_t *r) ngx_str_set(&u->headers_in.status_line, "200 OK"); } - if (u->state) { + if (u->state && u->state->status == 0) { u->state->status = u->headers_in.status_n; } |