Hello community, here is the log from the commit of package nginx for openSUSE:Factory checked in at 2020-08-14 09:32:20 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/nginx (Old) and /work/SRC/openSUSE:Factory/.nginx.new.3399 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "nginx" Fri Aug 14 09:32:20 2020 rev:55 rq:826075 version:1.19.2 Changes: -------- --- /work/SRC/openSUSE:Factory/nginx/nginx.changes 2020-07-29 17:14:13.596248050 +0200 +++ /work/SRC/openSUSE:Factory/.nginx.new.3399/nginx.changes 2020-08-14 09:33:45.012411367 +0200 @@ -1,0 +2,29 @@ +Wed Aug 12 15:23:16 UTC 2020 - Илья Индиго <[email protected]> + +- Update to 1.19.2 + * https://nginx.org/en/CHANGES + * Now nginx starts closing keepalive connections before all free + worker connections are exhausted, and logs a warning about this + to the error log. + * Optimization of client request body reading when using chunked + transfer encoding. + * Memory leak if the "ssl_ocsp" directive was used. + * "zero size buf in output" alerts might appear in logs if a + FastCGI server returned an incorrect response; the bug had + appeared in 1.19.1. + * A segmentation fault might occur in a worker process if + different large_client_header_buffers sizes were used in + different virtual servers. + * SSL shutdown might not work. + * "SSL_shutdown() failed (SSL: ... bad write retry)" messages + might appear in logs. + * In the ngx_http_slice_module. + * In the ngx_http_xslt_filter_module. + +------------------------------------------------------------------- +Tue Aug 4 19:10:24 UTC 2020 - Dirk Mueller <[email protected]> + +- update nginx-1.6.1-default_config.patch: + * remove geoip_module which is no longer compiled (bsc#1156202) + +------------------------------------------------------------------- Old: ---- nginx-1.19.1.tar.gz nginx-1.19.1.tar.gz.asc New: ---- nginx-1.19.2.tar.gz nginx-1.19.2.tar.gz.asc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ nginx.spec ++++++ --- /var/tmp/diff_new_pack.sGLytp/_old 2020-08-14 09:33:46.840412304 +0200 +++ /var/tmp/diff_new_pack.sGLytp/_new 2020-08-14 09:33:46.844412306 +0200 @@ -76,7 +76,7 @@ %endif # Name: nginx -Version: 1.19.1 +Version: 1.19.2 Release: 0 Summary: A HTTP server and IMAP/POP3 proxy server License: BSD-2-Clause ++++++ check_1.9.2+.patch ++++++ --- /var/tmp/diff_new_pack.sGLytp/_old 2020-08-14 09:33:46.876412323 +0200 +++ /var/tmp/diff_new_pack.sGLytp/_new 2020-08-14 09:33:46.876412323 +0200 @@ -12,7 +12,7 @@ typedef struct { uint32_t hash; -@@ -235,6 +238,15 @@ ngx_http_upstream_get_hash_peer(ngx_peer +@@ -238,6 +241,15 @@ ngx_http_upstream_get_hash_peer(ngx_peer goto next; } @@ -28,7 +28,7 @@ if (peer->max_fails && peer->fails >= peer->max_fails && now - peer->checked <= peer->fail_timeout) -@@ -538,6 +550,15 @@ ngx_http_upstream_get_chash_peer(ngx_pee +@@ -560,6 +572,15 @@ ngx_http_upstream_get_chash_peer(ngx_pee continue; } @@ -58,7 +58,7 @@ typedef struct { /* the round robin data must be first */ -@@ -205,6 +208,15 @@ ngx_http_upstream_get_ip_hash_peer(ngx_p +@@ -208,6 +211,15 @@ ngx_http_upstream_get_ip_hash_peer(ngx_p goto next; } ++++++ nginx-1.19.1.tar.gz -> nginx-1.19.2.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nginx-1.19.1/CHANGES new/nginx-1.19.2/CHANGES --- old/nginx-1.19.1/CHANGES 2020-07-07 17:56:11.000000000 +0200 +++ new/nginx-1.19.2/CHANGES 2020-08-11 16:52:34.000000000 +0200 @@ -1,4 +1,33 @@ +Changes with nginx 1.19.2 11 Aug 2020 + + *) Change: now nginx starts closing keepalive connections before all + free worker connections are exhausted, and logs a warning about this + to the error log. + + *) Change: optimization of client request body reading when using + chunked transfer encoding. + + *) Bugfix: memory leak if the "ssl_ocsp" directive was used. + + *) Bugfix: "zero size buf in output" alerts might appear in logs if a + FastCGI server returned an incorrect response; the bug had appeared + in 1.19.1. + + *) Bugfix: a segmentation fault might occur in a worker process if + different large_client_header_buffers sizes were used in different + virtual servers. + + *) Bugfix: SSL shutdown might not work. + + *) Bugfix: "SSL_shutdown() failed (SSL: ... bad write retry)" messages + might appear in logs. + + *) Bugfix: in the ngx_http_slice_module. + + *) Bugfix: in the ngx_http_xslt_filter_module. + + Changes with nginx 1.19.1 07 Jul 2020 *) Change: the "lingering_close", "lingering_time", and diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nginx-1.19.1/CHANGES.ru new/nginx-1.19.2/CHANGES.ru --- old/nginx-1.19.1/CHANGES.ru 2020-07-07 17:56:09.000000000 +0200 +++ new/nginx-1.19.2/CHANGES.ru 2020-08-11 16:52:33.000000000 +0200 @@ -1,4 +1,33 @@ +Изменения в nginx 1.19.2 11.08.2020 + + *) Изменение: теперь nginx начинает закрывать keepalive-соединения, не + дожидаясь исчерпания всех свободных соединений, а также пишет об этом + предупреждение в лог ошибок. + + *) Изменение: оптимизация чтения тела запроса при использовании chunked + transfer encoding. + + *) Исправление: утечки памяти при использовании директивы ssl_ocsp. + + *) Исправление: в логах могли появляться сообщения "zero size buf in + output", если FastCGI-сервер возвращал некорректный ответ; ошибка + появилась в 1.19.1. + + *) Исправление: в рабочем процессе мог произойти segmentation fault, + если размеры large_client_header_buffers отличались в разных + виртуальных серверах. + + *) Исправление: SSL shutdown мог не работать. + + *) Исправление: в логах могли появляться сообщения "SSL_shutdown() + failed (SSL: ... bad write retry)". + + *) Исправление: в модуле ngx_http_slice_module. + + *) Исправление: в модуле ngx_http_xslt_filter_module. + + Изменения в nginx 1.19.1 07.07.2020 *) Изменение: директивы lingering_close, lingering_time и diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nginx-1.19.1/src/core/nginx.h new/nginx-1.19.2/src/core/nginx.h --- old/nginx-1.19.1/src/core/nginx.h 2020-07-07 17:56:06.000000000 +0200 +++ new/nginx-1.19.2/src/core/nginx.h 2020-08-11 16:52:30.000000000 +0200 @@ -9,8 +9,8 @@ #define _NGINX_H_INCLUDED_ -#define nginx_version 1019001 -#define NGINX_VERSION "1.19.1" +#define nginx_version 1019002 +#define NGINX_VERSION "1.19.2" #define NGINX_VER "nginx/" NGINX_VERSION #ifdef NGX_BUILD diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nginx-1.19.1/src/core/ngx_buf.h new/nginx-1.19.2/src/core/ngx_buf.h --- old/nginx-1.19.1/src/core/ngx_buf.h 2020-07-07 17:56:06.000000000 +0200 +++ new/nginx-1.19.2/src/core/ngx_buf.h 2020-08-11 16:52:30.000000000 +0200 @@ -125,20 +125,20 @@ #define NGX_CHAIN_ERROR (ngx_chain_t *) NGX_ERROR -#define ngx_buf_in_memory(b) (b->temporary || b->memory || b->mmap) -#define ngx_buf_in_memory_only(b) (ngx_buf_in_memory(b) && !b->in_file) +#define ngx_buf_in_memory(b) ((b)->temporary || (b)->memory || (b)->mmap) +#define ngx_buf_in_memory_only(b) (ngx_buf_in_memory(b) && !(b)->in_file) #define ngx_buf_special(b) \ - ((b->flush || b->last_buf || b->sync) \ - && !ngx_buf_in_memory(b) && !b->in_file) + (((b)->flush || (b)->last_buf || (b)->sync) \ + && !ngx_buf_in_memory(b) && !(b)->in_file) #define ngx_buf_sync_only(b) \ - (b->sync \ - && !ngx_buf_in_memory(b) && !b->in_file && !b->flush && !b->last_buf) + ((b)->sync && !ngx_buf_in_memory(b) \ + && !(b)->in_file && !(b)->flush && !(b)->last_buf) #define ngx_buf_size(b) \ - (ngx_buf_in_memory(b) ? (off_t) (b->last - b->pos): \ - (b->file_last - b->file_pos)) + (ngx_buf_in_memory(b) ? (off_t) ((b)->last - (b)->pos): \ + ((b)->file_last - (b)->file_pos)) ngx_buf_t *ngx_create_temp_buf(ngx_pool_t *pool, size_t size); ngx_chain_t *ngx_create_chain_of_bufs(ngx_pool_t *pool, ngx_bufs_t *bufs); @@ -149,8 +149,8 @@ ngx_chain_t *ngx_alloc_chain_link(ngx_pool_t *pool); #define ngx_free_chain(pool, cl) \ - cl->next = pool->chain; \ - pool->chain = cl + (cl)->next = (pool)->chain; \ + (pool)->chain = (cl) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nginx-1.19.1/src/core/ngx_connection.c new/nginx-1.19.2/src/core/ngx_connection.c --- old/nginx-1.19.1/src/core/ngx_connection.c 2020-07-07 17:56:06.000000000 +0200 +++ new/nginx-1.19.2/src/core/ngx_connection.c 2020-08-11 16:52:30.000000000 +0200 @@ -1107,12 +1107,9 @@ return NULL; } - c = ngx_cycle->free_connections; + ngx_drain_connections((ngx_cycle_t *) ngx_cycle); - if (c == NULL) { - ngx_drain_connections((ngx_cycle_t *) ngx_cycle); - c = ngx_cycle->free_connections; - } + c = ngx_cycle->free_connections; if (c == NULL) { ngx_log_error(NGX_LOG_ALERT, log, 0, @@ -1298,6 +1295,21 @@ ngx_queue_t *q; ngx_connection_t *c; + if (cycle->free_connection_n > cycle->connection_n / 16 + || cycle->reusable_connections_n == 0) + { + return; + } + + if (cycle->connections_reuse_time != ngx_time()) { + cycle->connections_reuse_time = ngx_time(); + + ngx_log_error(NGX_LOG_WARN, cycle->log, 0, + "%ui worker_connections are not enough, " + "reusing connections", + cycle->connection_n); + } + n = ngx_max(ngx_min(32, cycle->reusable_connections_n / 8), 1); for (i = 0; i < n; i++) { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nginx-1.19.1/src/core/ngx_cycle.c new/nginx-1.19.2/src/core/ngx_cycle.c --- old/nginx-1.19.1/src/core/ngx_cycle.c 2020-07-07 17:56:06.000000000 +0200 +++ new/nginx-1.19.2/src/core/ngx_cycle.c 2020-08-11 16:52:30.000000000 +0200 @@ -1009,6 +1009,7 @@ ngx_create_pidfile(ngx_str_t *name, ngx_log_t *log) { size_t len; + ngx_int_t rc; ngx_uint_t create; ngx_file_t file; u_char pid[NGX_INT64_LEN + 2]; @@ -1033,11 +1034,13 @@ return NGX_ERROR; } + rc = NGX_OK; + if (!ngx_test_config) { len = ngx_snprintf(pid, NGX_INT64_LEN + 2, "%P%N", ngx_pid) - pid; if (ngx_write_file(&file, pid, len, 0) == NGX_ERROR) { - return NGX_ERROR; + rc = NGX_ERROR; } } @@ -1046,7 +1049,7 @@ ngx_close_file_n " \"%s\" failed", file.name.data); } - return NGX_OK; + return rc; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nginx-1.19.1/src/core/ngx_cycle.h new/nginx-1.19.2/src/core/ngx_cycle.h --- old/nginx-1.19.1/src/core/ngx_cycle.h 2020-07-07 17:56:06.000000000 +0200 +++ new/nginx-1.19.2/src/core/ngx_cycle.h 2020-08-11 16:52:30.000000000 +0200 @@ -55,6 +55,7 @@ ngx_queue_t reusable_connections_queue; ngx_uint_t reusable_connections_n; + time_t connections_reuse_time; ngx_array_t listening; ngx_array_t paths; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nginx-1.19.1/src/event/ngx_event_openssl.c new/nginx-1.19.2/src/event/ngx_event_openssl.c --- old/nginx-1.19.1/src/event/ngx_event_openssl.c 2020-07-07 17:56:06.000000000 +0200 +++ new/nginx-1.19.2/src/event/ngx_event_openssl.c 2020-08-11 16:52:30.000000000 +0200 @@ -2774,8 +2774,9 @@ ngx_int_t ngx_ssl_shutdown(ngx_connection_t *c) { - int n, sslerr, mode; - ngx_err_t err; + int n, sslerr, mode; + ngx_err_t err; + ngx_uint_t tries; ngx_ssl_ocsp_cleanup(c); @@ -2816,55 +2817,71 @@ ngx_ssl_clear_error(c->log); - n = SSL_shutdown(c->ssl->connection); + tries = 2; - ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_shutdown: %d", n); + for ( ;; ) { - sslerr = 0; + /* + * For bidirectional shutdown, SSL_shutdown() needs to be called + * twice: first call sends the "close notify" alert and returns 0, + * second call waits for the peer's "close notify" alert. + */ + + n = SSL_shutdown(c->ssl->connection); - /* before 0.9.8m SSL_shutdown() returned 0 instead of -1 on errors */ + ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_shutdown: %d", n); + + if (n == 1) { + SSL_free(c->ssl->connection); + c->ssl = NULL; + + return NGX_OK; + } + + if (n == 0 && tries-- > 1) { + continue; + } + + /* before 0.9.8m SSL_shutdown() returned 0 instead of -1 on errors */ - if (n != 1 && ERR_peek_error()) { sslerr = SSL_get_error(c->ssl->connection, n); ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_get_error: %d", sslerr); - } - if (n == 1 || sslerr == 0 || sslerr == SSL_ERROR_ZERO_RETURN) { - SSL_free(c->ssl->connection); - c->ssl = NULL; + if (sslerr == SSL_ERROR_WANT_READ || sslerr == SSL_ERROR_WANT_WRITE) { + c->read->handler = ngx_ssl_shutdown_handler; + c->write->handler = ngx_ssl_shutdown_handler; - return NGX_OK; - } + if (ngx_handle_read_event(c->read, 0) != NGX_OK) { + return NGX_ERROR; + } - if (sslerr == SSL_ERROR_WANT_READ || sslerr == SSL_ERROR_WANT_WRITE) { - c->read->handler = ngx_ssl_shutdown_handler; - c->write->handler = ngx_ssl_shutdown_handler; + if (ngx_handle_write_event(c->write, 0) != NGX_OK) { + return NGX_ERROR; + } - if (ngx_handle_read_event(c->read, 0) != NGX_OK) { - return NGX_ERROR; - } + ngx_add_timer(c->read, 3000); - if (ngx_handle_write_event(c->write, 0) != NGX_OK) { - return NGX_ERROR; + return NGX_AGAIN; } - if (sslerr == SSL_ERROR_WANT_READ) { - ngx_add_timer(c->read, 30000); - } + if (sslerr == SSL_ERROR_ZERO_RETURN || ERR_peek_error() == 0) { + SSL_free(c->ssl->connection); + c->ssl = NULL; - return NGX_AGAIN; - } + return NGX_OK; + } - err = (sslerr == SSL_ERROR_SYSCALL) ? ngx_errno : 0; + err = (sslerr == SSL_ERROR_SYSCALL) ? ngx_errno : 0; - ngx_ssl_connection_error(c, sslerr, err, "SSL_shutdown() failed"); + ngx_ssl_connection_error(c, sslerr, err, "SSL_shutdown() failed"); - SSL_free(c->ssl->connection); - c->ssl = NULL; + SSL_free(c->ssl->connection); + c->ssl = NULL; - return NGX_ERROR; + return NGX_ERROR; + } } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nginx-1.19.1/src/event/ngx_event_openssl_stapling.c new/nginx-1.19.2/src/event/ngx_event_openssl_stapling.c --- old/nginx-1.19.1/src/event/ngx_event_openssl_stapling.c 2020-07-07 17:56:06.000000000 +0200 +++ new/nginx-1.19.2/src/event/ngx_event_openssl_stapling.c 2020-08-11 16:52:30.000000000 +0200 @@ -883,6 +883,7 @@ ocsp = ngx_pcalloc(c->pool, sizeof(ngx_ssl_ocsp_t)); if (ocsp == NULL) { + X509_free(cert); return NGX_ERROR; } @@ -899,6 +900,7 @@ if (ocsp->certs) { ocsp->certs = X509_chain_up_ref(ocsp->certs); if (ocsp->certs == NULL) { + X509_free(cert); return NGX_ERROR; } } @@ -910,6 +912,7 @@ if (store == NULL) { ngx_ssl_error(NGX_LOG_ERR, c->log, 0, "SSL_CTX_get_cert_store() failed"); + X509_free(cert); return NGX_ERROR; } @@ -917,6 +920,7 @@ if (store_ctx == NULL) { ngx_ssl_error(NGX_LOG_ERR, c->log, 0, "X509_STORE_CTX_new() failed"); + X509_free(cert); return NGX_ERROR; } @@ -926,6 +930,7 @@ ngx_ssl_error(NGX_LOG_ERR, c->log, 0, "X509_STORE_CTX_init() failed"); X509_STORE_CTX_free(store_ctx); + X509_free(cert); return NGX_ERROR; } @@ -933,6 +938,7 @@ if (rc <= 0) { ngx_ssl_error(NGX_LOG_ERR, c->log, 0, "X509_verify_cert() failed"); X509_STORE_CTX_free(store_ctx); + X509_free(cert); return NGX_ERROR; } @@ -941,12 +947,15 @@ ngx_ssl_error(NGX_LOG_ERR, c->log, 0, "X509_STORE_CTX_get1_chain() failed"); X509_STORE_CTX_free(store_ctx); + X509_free(cert); return NGX_ERROR; } X509_STORE_CTX_free(store_ctx); } + X509_free(cert); + ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "ssl ocsp validate, certs:%d", sk_X509_num(ocsp->certs)); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nginx-1.19.1/src/http/modules/ngx_http_fastcgi_module.c new/nginx-1.19.2/src/http/modules/ngx_http_fastcgi_module.c --- old/nginx-1.19.1/src/http/modules/ngx_http_fastcgi_module.c 2020-07-07 17:56:06.000000000 +0200 +++ new/nginx-1.19.2/src/http/modules/ngx_http_fastcgi_module.c 2020-08-11 16:52:30.000000000 +0200 @@ -2306,6 +2306,18 @@ break; } + if (f->rest == -2) { + f->rest = r->upstream->headers_in.content_length_n; + } + + if (f->rest == 0) { + ngx_log_error(NGX_LOG_WARN, p->log, 0, + "upstream sent more data than specified in " + "\"Content-Length\" header"); + p->upstream_done = 1; + break; + } + cl = ngx_chain_get_free_buf(p->pool, &p->free); if (cl == NULL) { return NGX_ERROR; @@ -2349,11 +2361,7 @@ b->last = f->last; } - if (f->rest == -2) { - f->rest = r->upstream->headers_in.content_length_n; - } - - if (f->rest >= 0) { + if (f->rest > 0) { if (b->last - b->pos > f->rest) { ngx_log_error(NGX_LOG_WARN, p->log, 0, @@ -2564,6 +2572,14 @@ break; } + if (f->rest == 0) { + ngx_log_error(NGX_LOG_WARN, r->connection->log, 0, + "upstream sent more data than specified in " + "\"Content-Length\" header"); + u->length = 0; + break; + } + cl = ngx_chain_get_free_buf(r->pool, &u->free_bufs); if (cl == NULL) { return NGX_ERROR; @@ -2594,7 +2610,7 @@ b->last = f->last; } - if (f->rest >= 0) { + if (f->rest > 0) { if (b->last - b->pos > f->rest) { ngx_log_error(NGX_LOG_WARN, r->connection->log, 0, diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nginx-1.19.1/src/http/modules/ngx_http_slice_filter_module.c new/nginx-1.19.2/src/http/modules/ngx_http_slice_filter_module.c --- old/nginx-1.19.1/src/http/modules/ngx_http_slice_filter_module.c 2020-07-07 17:56:06.000000000 +0200 +++ new/nginx-1.19.2/src/http/modules/ngx_http_slice_filter_module.c 2020-08-11 16:52:30.000000000 +0200 @@ -180,6 +180,11 @@ r->headers_out.content_range->hash = 0; r->headers_out.content_range = NULL; + if (r->headers_out.accept_ranges) { + r->headers_out.accept_ranges->hash = 0; + r->headers_out.accept_ranges = NULL; + } + r->allow_ranges = 1; r->subrequest_ranges = 1; r->single_range = 1; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nginx-1.19.1/src/http/modules/ngx_http_xslt_filter_module.c new/nginx-1.19.2/src/http/modules/ngx_http_xslt_filter_module.c --- old/nginx-1.19.1/src/http/modules/ngx_http_xslt_filter_module.c 2020-07-07 17:56:06.000000000 +0200 +++ new/nginx-1.19.2/src/http/modules/ngx_http_xslt_filter_module.c 2020-08-11 16:52:30.000000000 +0200 @@ -233,6 +233,7 @@ ngx_http_set_ctx(r, ctx, ngx_http_xslt_filter_module); r->main_filter_need_in_memory = 1; + r->allow_ranges = 0; return NGX_OK; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nginx-1.19.1/src/http/ngx_http_request.c new/nginx-1.19.2/src/http/ngx_http_request.c --- old/nginx-1.19.1/src/http/ngx_http_request.c 2020-07-07 17:56:06.000000000 +0200 +++ new/nginx-1.19.2/src/http/ngx_http_request.c 2020-08-11 16:52:30.000000000 +0200 @@ -1647,6 +1647,12 @@ ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "http large header copy: %uz", r->header_in->pos - old); + if (r->header_in->pos - old > b->end - b->start) { + ngx_log_error(NGX_LOG_ALERT, r->connection->log, 0, + "too large header to copy"); + return NGX_ERROR; + } + new = b->start; ngx_memcpy(new, old, r->header_in->pos - old); @@ -2986,6 +2992,12 @@ rev->error = 1; } +#if (NGX_HTTP_SSL) + if (c->ssl) { + c->ssl->no_send_shutdown = 1; + } +#endif + ngx_log_error(NGX_LOG_INFO, c->log, err, "client prematurely closed connection"); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nginx-1.19.1/src/http/ngx_http_request_body.c new/nginx-1.19.2/src/http/ngx_http_request_body.c --- old/nginx-1.19.1/src/http/ngx_http_request_body.c 2020-07-07 17:56:06.000000000 +0200 +++ new/nginx-1.19.2/src/http/ngx_http_request_body.c 2020-08-11 16:52:30.000000000 +0200 @@ -12,6 +12,8 @@ static void ngx_http_read_client_request_body_handler(ngx_http_request_t *r); static ngx_int_t ngx_http_do_read_client_request_body(ngx_http_request_t *r); +static ngx_int_t ngx_http_copy_pipelined_header(ngx_http_request_t *r, + ngx_buf_t *buf); static ngx_int_t ngx_http_write_request_body(ngx_http_request_t *r); static ngx_int_t ngx_http_read_discarded_request_body(ngx_http_request_t *r); static ngx_int_t ngx_http_discard_request_body_filter(ngx_http_request_t *r, @@ -282,28 +284,12 @@ for ( ;; ) { if (rb->buf->last == rb->buf->end) { - if (rb->buf->pos != rb->buf->last) { + /* update chains */ - /* pass buffer to request body filter chain */ + rc = ngx_http_request_body_filter(r, NULL); - out.buf = rb->buf; - out.next = NULL; - - rc = ngx_http_request_body_filter(r, &out); - - if (rc != NGX_OK) { - return rc; - } - - } else { - - /* update chains */ - - rc = ngx_http_request_body_filter(r, NULL); - - if (rc != NGX_OK) { - return rc; - } + if (rc != NGX_OK) { + return rc; } if (rb->busy != NULL) { @@ -355,17 +341,15 @@ rb->buf->last += n; r->request_length += n; - if (n == rest) { - /* pass buffer to request body filter chain */ + /* pass buffer to request body filter chain */ - out.buf = rb->buf; - out.next = NULL; + out.buf = rb->buf; + out.next = NULL; - rc = ngx_http_request_body_filter(r, &out); + rc = ngx_http_request_body_filter(r, &out); - if (rc != NGX_OK) { - return rc; - } + if (rc != NGX_OK) { + return rc; } if (rb->rest == 0) { @@ -386,21 +370,6 @@ if (!c->read->ready) { - if (r->request_body_no_buffering - && rb->buf->pos != rb->buf->last) - { - /* pass buffer to request body filter chain */ - - out.buf = rb->buf; - out.next = NULL; - - rc = ngx_http_request_body_filter(r, &out); - - if (rc != NGX_OK) { - return rc; - } - } - clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module); ngx_add_timer(c->read, clcf->client_body_timeout); @@ -412,6 +381,10 @@ } } + if (ngx_http_copy_pipelined_header(r, rb->buf) != NGX_OK) { + return NGX_HTTP_INTERNAL_SERVER_ERROR; + } + if (c->read->timer_set) { ngx_del_timer(c->read); } @@ -426,6 +399,88 @@ static ngx_int_t +ngx_http_copy_pipelined_header(ngx_http_request_t *r, ngx_buf_t *buf) +{ + size_t n; + ngx_buf_t *b; + ngx_chain_t *cl; + ngx_http_connection_t *hc; + ngx_http_core_srv_conf_t *cscf; + + b = r->header_in; + n = buf->last - buf->pos; + + if (buf == b || n == 0) { + return NGX_OK; + } + + ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, + "http body pipelined header: %uz", n); + + /* + * if there is a pipelined request in the client body buffer, + * copy it to the r->header_in buffer if there is enough room, + * or allocate a large client header buffer + */ + + if (n > (size_t) (b->end - b->last)) { + + hc = r->http_connection; + + if (hc->free) { + cl = hc->free; + hc->free = cl->next; + + b = cl->buf; + + ngx_log_debug2(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, + "http large header free: %p %uz", + b->pos, b->end - b->last); + + } else { + cscf = ngx_http_get_module_srv_conf(r, ngx_http_core_module); + + b = ngx_create_temp_buf(r->connection->pool, + cscf->large_client_header_buffers.size); + if (b == NULL) { + return NGX_ERROR; + } + + cl = ngx_alloc_chain_link(r->connection->pool); + if (cl == NULL) { + return NGX_ERROR; + } + + cl->buf = b; + + ngx_log_debug2(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, + "http large header alloc: %p %uz", + b->pos, b->end - b->last); + } + + cl->next = hc->busy; + hc->busy = cl; + hc->nbusy++; + + r->header_in = b; + + if (n > (size_t) (b->end - b->last)) { + ngx_log_error(NGX_LOG_ALERT, r->connection->log, 0, + "too large pipelined header after reading body"); + return NGX_ERROR; + } + } + + ngx_memcpy(b->last, buf->pos, n); + + b->last += n; + r->request_length -= n; + + return NGX_OK; +} + + +static ngx_int_t ngx_http_write_request_body(ngx_http_request_t *r) { ssize_t n; @@ -670,8 +725,7 @@ for ( ;; ) { if (r->headers_in.content_length_n == 0) { - r->read_event_handler = ngx_http_block_reading; - return NGX_OK; + break; } if (!r->connection->read->ready) { @@ -705,15 +759,24 @@ return rc; } } + + if (ngx_http_copy_pipelined_header(r, &b) != NGX_OK) { + return NGX_HTTP_INTERNAL_SERVER_ERROR; + } + + r->read_event_handler = ngx_http_block_reading; + + return NGX_OK; } static ngx_int_t ngx_http_discard_request_body_filter(ngx_http_request_t *r, ngx_buf_t *b) { - size_t size; - ngx_int_t rc; - ngx_http_request_body_t *rb; + size_t size; + ngx_int_t rc; + ngx_http_request_body_t *rb; + ngx_http_core_srv_conf_t *cscf; if (r->headers_in.chunked) { @@ -768,7 +831,10 @@ /* set amount of data we want to see next time */ - r->headers_in.content_length_n = rb->chunked->length; + cscf = ngx_http_get_module_srv_conf(r, ngx_http_core_module); + + r->headers_in.content_length_n = ngx_max(rb->chunked->length, + (off_t) cscf->large_client_header_buffers.size); break; } @@ -936,6 +1002,7 @@ ngx_chain_t *cl, *out, *tl, **ll; ngx_http_request_body_t *rb; ngx_http_core_loc_conf_t *clcf; + ngx_http_core_srv_conf_t *cscf; rb = r->request_body; @@ -949,8 +1016,10 @@ return NGX_HTTP_INTERNAL_SERVER_ERROR; } + cscf = ngx_http_get_module_srv_conf(r, ngx_http_core_module); + r->headers_in.content_length_n = 0; - rb->rest = 3; + rb->rest = cscf->large_client_header_buffers.size; } out = NULL; @@ -958,6 +1027,8 @@ for (cl = in; cl; cl = cl->next) { + b = NULL; + for ( ;; ) { ngx_log_debug7(NGX_LOG_DEBUG_EVENT, r->connection->log, 0, @@ -992,6 +1063,29 @@ return NGX_HTTP_REQUEST_ENTITY_TOO_LARGE; } + if (b + && rb->chunked->size <= 128 + && cl->buf->last - cl->buf->pos >= rb->chunked->size) + { + r->headers_in.content_length_n += rb->chunked->size; + + if (rb->chunked->size < 8) { + + while (rb->chunked->size) { + *b->last++ = *cl->buf->pos++; + rb->chunked->size--; + } + + } else { + ngx_memmove(b->last, cl->buf->pos, rb->chunked->size); + b->last += rb->chunked->size; + cl->buf->pos += rb->chunked->size; + rb->chunked->size = 0; + } + + continue; + } + tl = ngx_chain_get_free_buf(r->pool, &rb->free); if (tl == NULL) { return NGX_HTTP_INTERNAL_SERVER_ERROR; @@ -1057,7 +1151,10 @@ /* set rb->rest, amount of data we want to see next time */ - rb->rest = rb->chunked->length; + cscf = ngx_http_get_module_srv_conf(r, ngx_http_core_module); + + rb->rest = ngx_max(rb->chunked->length, + (off_t) cscf->large_client_header_buffers.size); break; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nginx-1.19.1/src/http/v2/ngx_http_v2.c new/nginx-1.19.2/src/http/v2/ngx_http_v2.c --- old/nginx-1.19.1/src/http/v2/ngx_http_v2.c 2020-07-07 17:56:06.000000000 +0200 +++ new/nginx-1.19.2/src/http/v2/ngx_http_v2.c 2020-08-11 16:52:30.000000000 +0200 @@ -475,6 +475,7 @@ ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0, "http2 write event timed out"); c->error = 1; + c->timedout = 1; ngx_http_v2_finalize_connection(h2c, 0); return; } ++++++ nginx-1.6.1-default_config.patch ++++++ --- /var/tmp/diff_new_pack.sGLytp/_old 2020-08-14 09:33:47.140412458 +0200 +++ /var/tmp/diff_new_pack.sGLytp/_new 2020-08-14 09:33:47.140412458 +0200 @@ -1,6 +1,8 @@ ---- conf/nginx.conf.orig 2018-03-28 11:56:48.834012377 +0200 -+++ conf/nginx.conf 2018-03-28 13:16:09.978372767 +0200 -@@ -1,16 +1,28 @@ +Index: conf/nginx.conf +=================================================================== +--- conf/nginx.conf.orig ++++ conf/nginx.conf +@@ -1,16 +1,26 @@ -#user nobody; +#user nginx; @@ -10,14 +12,12 @@ -#error_log logs/error.log notice; -#error_log logs/error.log info; +# load_module #LIBDIR#/nginx/modules/ngx_http_fancyindex_module.so; -+# load_module #LIBDIR#/nginx/modules/ngx_http_geoip_module.so; +# load_module #LIBDIR#/nginx/modules/ngx_http_headers_more_filter_module.so; +# load_module #LIBDIR#/nginx/modules/ngx_http_image_filter_module.so; +# load_module #LIBDIR#/nginx/modules/ngx_http_perl_module.so; +# load_module #LIBDIR#/nginx/modules/ngx_http_xslt_filter_module.so; +# load_module #LIBDIR#/nginx/modules/ngx_mail_module.so; +# load_module #LIBDIR#/nginx/modules/ngx_rtmp_module.so; -+# load_module #LIBDIR#/nginx/modules/ngx_stream_geoip_module.so; +# load_module #LIBDIR#/nginx/modules/ngx_stream_module.so; + +#error_log /var/log/nginx/error.log; @@ -34,7 +34,7 @@ } -@@ -22,7 +34,7 @@ +@@ -22,7 +32,7 @@ http { # '$status $body_bytes_sent "$http_referer" ' # '"$http_user_agent" "$http_x_forwarded_for"'; @@ -43,7 +43,7 @@ sendfile on; #tcp_nopush on; -@@ -32,16 +44,18 @@ +@@ -32,16 +42,18 @@ http { #gzip on; @@ -64,7 +64,7 @@ index index.html index.htm; } -@@ -51,7 +65,7 @@ +@@ -51,7 +63,7 @@ http { # error_page 500 502 503 504 /50x.html; location = /50x.html { @@ -73,7 +73,7 @@ } # proxy the PHP scripts to Apache listening on 127.0.0.1:80 -@@ -63,7 +77,7 @@ +@@ -63,7 +75,7 @@ http { # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000 # #location ~ \.php$ { @@ -82,7 +82,7 @@ # fastcgi_pass 127.0.0.1:9000; # fastcgi_index index.php; # fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name; -@@ -87,7 +101,7 @@ +@@ -87,7 +99,7 @@ http { # server_name somename alias another.alias; # location / { @@ -91,18 +91,18 @@ # index index.html index.htm; # } #} -@@ -101,6 +115,10 @@ - +@@ -102,6 +114,10 @@ http { # ssl_certificate cert.pem; # ssl_certificate_key cert.key; -+ + + # Allow TLS version 1.2 only, which is a recommended default these days + # by international information security standards. + # ssl_protocols TLSv1.2; - ++ # ssl_session_cache shared:SSL:1m; # ssl_session_timeout 5m; -@@ -109,9 +127,11 @@ + +@@ -109,9 +125,11 @@ http { # ssl_prefer_server_ciphers on; # location / { ++++++ nginx-aio.patch ++++++ --- /var/tmp/diff_new_pack.sGLytp/_old 2020-08-14 09:33:47.148412462 +0200 +++ /var/tmp/diff_new_pack.sGLytp/_new 2020-08-14 09:33:47.152412464 +0200 @@ -1,8 +1,8 @@ -Index: nginx-1.11.3/auto/unix +Index: nginx-1.19.1/auto/unix =================================================================== ---- nginx-1.11.3.orig/auto/unix -+++ nginx-1.11.3/auto/unix -@@ -531,7 +531,12 @@ if [ $NGX_FILE_AIO = YES ]; then +--- nginx-1.19.1.orig/auto/unix ++++ nginx-1.19.1/auto/unix +@@ -559,7 +559,12 @@ if [ $NGX_FILE_AIO = YES ]; then ngx_feature="Linux AIO support (SYS_eventfd)" ngx_feature_incs="#include <linux/aio_abi.h> #include <sys/syscall.h>" @@ -16,10 +16,10 @@ iocb.aio_lio_opcode = IOCB_CMD_PREAD; iocb.aio_flags = IOCB_FLAG_RESFD; iocb.aio_resfd = -1; -Index: nginx-1.11.3/src/event/modules/ngx_epoll_module.c +Index: nginx-1.19.1/src/event/modules/ngx_epoll_module.c =================================================================== ---- nginx-1.11.3.orig/src/event/modules/ngx_epoll_module.c -+++ nginx-1.11.3/src/event/modules/ngx_epoll_module.c +--- nginx-1.19.1.orig/src/event/modules/ngx_epoll_module.c ++++ nginx-1.19.1/src/event/modules/ngx_epoll_module.c @@ -77,9 +77,7 @@ int epoll_wait(int epfd, struct epoll_ev #if (NGX_HAVE_FILE_AIO)
