Changes with nginx 1.5.11 04 Mar 2014v1.5.11

    *) Security: memory corruption might occur in a worker process on 32-bit
       platforms while handling a specially crafted request by
       ngx_http_spdy_module, potentially resulting in arbitrary code
       execution (CVE-2014-0088); the bug had appeared in 1.5.10.
       Thanks to Lucas Molas, researcher at Programa STIC, Fundación Dr.
       Manuel Sadosky, Buenos Aires, Argentina.

    *) Feature: the $ssl_session_reused variable.

    *) Bugfix: the "client_max_body_size" directive might not work when
       reading a request body using chunked transfer encoding; the bug had
       appeared in 1.3.9.
       Thanks to Lucas Molas.

    *) Bugfix: a segmentation fault might occur in a worker process when
       proxying WebSocket connections.

    *) Bugfix: a segmentation fault might occur in a worker process if the
       ngx_http_spdy_module was used on 32-bit platforms; the bug had
       appeared in 1.5.10.

    *) Bugfix: the $upstream_status variable might contain wrong data if the
       "proxy_cache_use_stale" or "proxy_cache_revalidate" directives were
       used.
       Thanks to Piotr Sikora.

    *) Bugfix: a segmentation fault might occur in a worker process if
       errors with code 400 were redirected to a named location using the
       "error_page" directive.

    *) Bugfix: nginx/Windows could not be built with Visual Studio 2013.

9 files changed, 24 insertions, 13 deletions

diff --git a/src/http/modules/ngx_http_access_module.c b/src/http/modules/ngx_http_access_module.c
index fcee40ca0..c553e4610 100644
--- a/src/http/modules/ngx_http_access_module.c
+++ b/src/http/modules/ngx_http_access_module.c
@@ -259,7 +259,11 @@ ngx_http_access_unix(ngx_http_request_t *r, ngx_http_access_loc_conf_t *alcf)
 
     rule_un = alcf->rules_un->elts;
     for (i = 0; i < alcf->rules_un->nelts; i++) {
-        return ngx_http_access_found(r, rule_un[i].deny);
+
+        /* TODO: check path */
+        if (1) {
+            return ngx_http_access_found(r, rule_un[i].deny);
+        }
     }
 
     return NGX_DECLINED;
diff --git a/src/http/modules/ngx_http_fastcgi_module.c b/src/http/modules/ngx_http_fastcgi_module.c
index 5bcf6ef8c..24dbbf663 100644
--- a/src/http/modules/ngx_http_fastcgi_module.c
+++ b/src/http/modules/ngx_http_fastcgi_module.c
@@ -1584,7 +1584,7 @@ ngx_http_fastcgi_process_header(ngx_http_request_t *r)
                     ngx_str_set(&u->headers_in.status_line, "200 OK");
                 }
 
-                if (u->state) {
+                if (u->state && u->state->status == 0) {
                     u->state->status = u->headers_in.status_n;
                 }
 
diff --git a/src/http/modules/ngx_http_gzip_static_module.c b/src/http/modules/ngx_http_gzip_static_module.c
index 6e777619b..1746e5504 100644
--- a/src/http/modules/ngx_http_gzip_static_module.c
+++ b/src/http/modules/ngx_http_gzip_static_module.c
@@ -38,7 +38,7 @@ static ngx_conf_enum_t  ngx_http_gzip_static[] = {
 static ngx_command_t  ngx_http_gzip_static_commands[] = {
 
     { ngx_string("gzip_static"),
-      NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_FLAG,
+      NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1,
       ngx_conf_set_enum_slot,
       NGX_HTTP_LOC_CONF_OFFSET,
       offsetof(ngx_http_gzip_static_conf_t, enable),
diff --git a/src/http/modules/ngx_http_mp4_module.c b/src/http/modules/ngx_http_mp4_module.c
index c29ab1ce5..426a0b97f 100644
--- a/src/http/modules/ngx_http_mp4_module.c
+++ b/src/http/modules/ngx_http_mp4_module.c
@@ -2481,7 +2481,7 @@ ngx_http_mp4_update_stsc_atom(ngx_http_mp4_file_t *mp4,
 
         n = (next_chunk - chunk) * samples;
 
-        if (start_sample <= n) {
+        if (start_sample < n) {
             goto found;
         }
 
diff --git a/src/http/modules/ngx_http_proxy_module.c b/src/http/modules/ngx_http_proxy_module.c
index 93469984c..8ee32f491 100644
--- a/src/http/modules/ngx_http_proxy_module.c
+++ b/src/http/modules/ngx_http_proxy_module.c
@@ -1362,7 +1362,7 @@ ngx_http_proxy_process_status_line(ngx_http_request_t *r)
         return NGX_OK;
     }
 
-    if (u->state) {
+    if (u->state && u->state->status == 0) {
         u->state->status = ctx->status.code;
     }
 
diff --git a/src/http/modules/ngx_http_range_filter_module.c b/src/http/modules/ngx_http_range_filter_module.c
index 6143a8786..bcc64fd30 100644
--- a/src/http/modules/ngx_http_range_filter_module.c
+++ b/src/http/modules/ngx_http_range_filter_module.c
@@ -432,7 +432,9 @@ ngx_http_range_multipart_header(ngx_http_request_t *r,
           + r->headers_out.content_type.len
           + sizeof(CRLF "Content-Range: bytes ") - 1;
 
-    if (r->headers_out.charset.len) {
+    if (r->headers_out.content_type_len == r->headers_out.content_type.len
+        && r->headers_out.charset.len)
+    {
         len += sizeof("; charset=") - 1 + r->headers_out.charset.len;
     }
 
@@ -451,7 +453,9 @@ ngx_http_range_multipart_header(ngx_http_request_t *r,
      * "Content-Range: bytes "
      */
 
-    if (r->headers_out.charset.len) {
+    if (r->headers_out.content_type_len == r->headers_out.content_type.len
+        && r->headers_out.charset.len)
+    {
         ctx->boundary_header.len = ngx_sprintf(ctx->boundary_header.data,
                                            CRLF "--%0muA" CRLF
                                            "Content-Type: %V; charset=%V" CRLF
@@ -461,8 +465,6 @@ ngx_http_range_multipart_header(ngx_http_request_t *r,
                                            &r->headers_out.charset)
                                    - ctx->boundary_header.data;
 
-        r->headers_out.charset.len = 0;
-
     } else if (r->headers_out.content_type.len) {
         ctx->boundary_header.len = ngx_sprintf(ctx->boundary_header.data,
                                            CRLF "--%0muA" CRLF
@@ -501,6 +503,8 @@ ngx_http_range_multipart_header(ngx_http_request_t *r,
 
     r->headers_out.content_type_len = r->headers_out.content_type.len;
 
+    r->headers_out.charset.len = 0;
+
     /* the size of the last boundary CRLF "--0123456789--" CRLF */
 
     len = sizeof(CRLF "--") - 1 + NGX_ATOMIC_T_LEN + sizeof("--" CRLF) - 1;
diff --git a/src/http/modules/ngx_http_scgi_module.c b/src/http/modules/ngx_http_scgi_module.c
index 70f6ac1de..884cb500a 100644
--- a/src/http/modules/ngx_http_scgi_module.c
+++ b/src/http/modules/ngx_http_scgi_module.c
@@ -885,7 +885,7 @@ ngx_http_scgi_process_status_line(ngx_http_request_t *r)
         return ngx_http_scgi_process_header(r);
     }
 
-    if (u->state) {
+    if (u->state && u->state->status == 0) {
         u->state->status = status->code;
     }
 
@@ -1013,7 +1013,7 @@ ngx_http_scgi_process_header(ngx_http_request_t *r)
                 ngx_str_set(&u->headers_in.status_line, "200 OK");
             }
 
-            if (u->state) {
+            if (u->state && u->state->status == 0) {
                 u->state->status = u->headers_in.status_n;
             }
 
diff --git a/src/http/modules/ngx_http_ssl_module.c b/src/http/modules/ngx_http_ssl_module.c
index df1e55ee9..206f58d25 100644
--- a/src/http/modules/ngx_http_ssl_module.c
+++ b/src/http/modules/ngx_http_ssl_module.c
@@ -270,6 +270,9 @@ static ngx_http_variable_t  ngx_http_ssl_vars[] = {
     { ngx_string("ssl_session_id"), NULL, ngx_http_ssl_variable,
       (uintptr_t) ngx_ssl_get_session_id, NGX_HTTP_VAR_CHANGEABLE, 0 },
 
+    { ngx_string("ssl_session_reused"), NULL, ngx_http_ssl_variable,
+      (uintptr_t) ngx_ssl_get_session_reused, NGX_HTTP_VAR_CHANGEABLE, 0 },
+
     { ngx_string("ssl_client_cert"), NULL, ngx_http_ssl_variable,
       (uintptr_t) ngx_ssl_get_certificate, NGX_HTTP_VAR_CHANGEABLE, 0 },
 
diff --git a/src/http/modules/ngx_http_uwsgi_module.c b/src/http/modules/ngx_http_uwsgi_module.c
index f55e606c8..17dfc3b3a 100644
--- a/src/http/modules/ngx_http_uwsgi_module.c
+++ b/src/http/modules/ngx_http_uwsgi_module.c
@@ -1017,7 +1017,7 @@ ngx_http_uwsgi_process_status_line(ngx_http_request_t *r)
         return ngx_http_uwsgi_process_header(r);
     }
 
-    if (u->state) {
+    if (u->state && u->state->status == 0) {
         u->state->status = status->code;
     }
 
@@ -1145,7 +1145,7 @@ ngx_http_uwsgi_process_header(ngx_http_request_t *r)
                 ngx_str_set(&u->headers_in.status_line, "200 OK");
             }
 
-            if (u->state) {
+            if (u->state && u->state->status == 0) {
                 u->state->status = u->headers_in.status_n;
             }