Re: [PATCH] Avoiding mixed socket families in PROXY protocol v1 (ticket #2594)

2024-02-22 Thread Roman Arutyunyan 
Hi,

On Thu, Feb 22, 2024 at 01:59:25AM +, J Carter wrote:
> Hello Roman,
> 
> On Wed, 21 Feb 2024 17:29:52 +0400
> Roman Arutyunyan  wrote:
> 
> > Hi,
> > 
> 
> [...]
> 
> > Checking whether the address used in PROXY writer is in fact the address
> > that was passed in the PROXY header, is complicated.  This will either 
> > require
> > setting a flag when PROXY address is set by realip, which is ugly.
> > Another approach is checking if the client address written to a PROXY header
> > matches the client address in the received PROXY header.  However since
> > currently PROXY protocol addresses are stored as text, and not all addresses
> > have unique text repersentations, this approach would require refactoring 
> > all
> > PROXY protocol code + realip modules to switch from text to sockaddr.
> > 
> > I suggest that we follow the first plan (INADDR_ANY etc).
> > 
> > > [...]
> > 
> > Updated patch attached.
> > 
> > --
> > Roman Arutyunyan
> 
> > diff --git a/src/core/ngx_proxy_protocol.c b/src/core/ngx_proxy_protocol.c
> > --- a/src/core/ngx_proxy_protocol.c
> > +++ b/src/core/ngx_proxy_protocol.c
> > @@ -279,7 +279,10 @@ ngx_proxy_protocol_read_port(u_char *p, 
> >  u_char *
> >  ngx_proxy_protocol_write(ngx_connection_t *c, u_char *buf, u_char *last)
> >  {
> > -ngx_uint_t  port, lport;
> > +socklen_t   local_socklen;
> > +ngx_uint_t  port, lport;
> > +struct sockaddr*local_sockaddr;
> > +static ngx_sockaddr_t   default_sockaddr;
> 
> I understand you are using the fact static variables are zero 
> initalized - to be both INADDR_ANY and "IN6ADDR_ANY", however is
> this defined behavior for a union (specifically for ipv6 case) ?
> 
> I was under the impression only the first declared member, along with
> padding bits were garunteed to be zero'ed.
> 
> https://stackoverflow.com/questions/54160137/what-constitutes-as-padding-in-a-union

It's not clear what exactly is meant by padding in that particular statement.
It may as well be everything beyong the first member.  However C99 does not
require zeroing out the padding anyway.

I can hardly believe there's a platform where the second union member may
in fact be non-zero in this case.  The entire union is allocated in the BSS
segment and is not even present in the binary file.

The reasons why C standard has this grey area are clear.  Zeroing out a chunk
of memory may not be equivalent to initializing particular members to NULL, 0.0
etc on certain platforms.  However nginx already heavily relies on ngx_memzero()
for initializing most structures.  For platforms where this works, there are
no reasons why a static union would not be allocated in a BSS segment.

However it's not hard to avoid the issue completely, just to be on the safe
side.  Thanks for noticing this.

> >  if (last - buf < NGX_PROXY_PROTOCOL_V1_MAX_HEADER) {
> >  ngx_log_error(NGX_LOG_ALERT, c->log, 0,
> > @@ -312,11 +315,21 @@ ngx_proxy_protocol_write(ngx_connection_
> >  
> >  *buf++ = ' ';
> >  
> > -buf += ngx_sock_ntop(c->local_sockaddr, c->local_socklen, buf, last - 
> > buf,
> > - 0);
> > +if (c->sockaddr->sa_family == c->local_sockaddr->sa_family) {
> > +local_sockaddr = c->local_sockaddr;
> > +local_socklen = c->local_socklen;
> > +
> > +} else {
> > +default_sockaddr.sockaddr.sa_family = c->sockaddr->sa_family;
> > +
> > +local_sockaddr = _sockaddr.sockaddr;
> > +local_socklen = sizeof(ngx_sockaddr_t);
> > +}
> > +
> > +buf += ngx_sock_ntop(local_sockaddr, local_socklen, buf, last - buf, 
> > 0);
> >  
> >  port = ngx_inet_get_port(c->sockaddr);
> > -lport = ngx_inet_get_port(c->local_sockaddr);
> > +lport = ngx_inet_get_port(local_sockaddr);
> >  
> >  return ngx_slprintf(buf, last, " %ui %ui" CRLF, port, lport);
> >  }
> > 
> ___
> nginx-devel mailing list
> nginx-devel@nginx.org
> https://mailman.nginx.org/mailman/listinfo/nginx-devel

--
Roman Arutyunyan
# HG changeset patch
# User Roman Arutyunyan 
# Date 1708522464 -14400
#  Wed Feb 21 17:34:24 2024 +0400
# Node ID 2d9bb7b49d64576fa29a673133129f16de3cfbbe
# Parent  44da04c2d4db94ad4eefa84b299e07c5fa4a00b9
Avoiding mixed socket families in PROXY protocol v1 (ticket #2010).

When using realip module, remote and local addresses of a connection can belong
to different address families.  This previously resulted in generating PROXY
protocol headers like this:

  PROXY TCP4 127.0.0.1 unix:/tmp/nginx1.sock 55544 0

The PROXY protocol v1 specification does not allow mixed families.  The change
substitutes server address with zero address in this case:

  PROXY TCP4 127.0.0.1 0.0.0.0 55544 0

As an alternative, "PROXY UNKNOWN" header could be used, which unlike this
header does not contain any useful information about the client.

Also, the above mentioned format for unix socket address is not specified in
PROXY

Re: [PATCH 1 of 2] Linux packages: removed Ubuntu 23.04 'lunar' due to EOL

2024-02-22 Thread Sergey Kandaurov 
On Wed, Feb 21, 2024 at 01:53:47PM -0800, Konstantin Pavlov wrote:
> # HG changeset patch
> # User Konstantin Pavlov 
> # Date 1708551797 28800
> #  Wed Feb 21 13:43:17 2024 -0800
> # Node ID 98a4f772621c4f0751042ab0f7e1f2d4ba53556f
> # Parent  e10905e43fa1d5abfdbc0bb6e9bd6e188aad6421
> Linux packages: removed Ubuntu 23.04 'lunar' due to EOL.
> 

On Wed, Feb 21, 2024 at 01:53:48PM -0800, Konstantin Pavlov wrote:
> # HG changeset patch
> # User Konstantin Pavlov 
> # Date 1708551944 28800
> #  Wed Feb 21 13:45:44 2024 -0800
> # Node ID 646ce0bcdac6817560f1c39bbcdf7439cc0be73d
> # Parent  98a4f772621c4f0751042ab0f7e1f2d4ba53556f
> Removed Maxim Dounin's PGP key.
> 

Ok for me.
___
nginx-devel mailing list
nginx-devel@nginx.org
https://mailman.nginx.org/mailman/listinfo/nginx-devel

[njs] Shell: added QuickJS engine support.

2024-02-22 Thread Dmitry Volyntsev 
details:   https://hg.nginx.org/njs/rev/cb3e068a511c
branches:  
changeset: 2290:cb3e068a511c
user:  Dmitry Volyntsev 
date:  Thu Feb 22 20:25:43 2024 -0800
description:
Shell: added QuickJS engine support.

diffstat:

 auto/expect  |22 +-
 auto/make|23 +-
 auto/options | 2 +
 auto/quickjs |55 +
 auto/summary | 4 +
 configure| 1 +
 external/njs_shell.c |  2225 -
 src/njs_builtin.c| 3 +
 src/test/njs_unit_test.c | 4 +-
 test/setup   | 5 +
 test/shell_test.exp  |   361 +---
 test/shell_test_njs.exp  |   418 
 test/test262 | 5 +
 13 files changed, 2531 insertions(+), 597 deletions(-)

diffs (truncated from 3866 to 1000 lines):

diff -r 272af619b821 -r cb3e068a511c auto/expect
--- a/auto/expect   Thu Feb 22 17:38:58 2024 -0800
+++ b/auto/expect   Thu Feb 22 20:25:43 2024 -0800
@@ -20,11 +20,31 @@ fi
 if [ $njs_found = yes -a $NJS_HAVE_READLINE = YES ]; then
 cat << END >> $NJS_MAKEFILE
 
-shell_test:njs test/shell_test.exp
+shell_test_njs:njs test/shell_test.exp
PATH=$NJS_BUILD_DIR:\$(PATH) LANG=C.UTF-8 TERM=screen \
 expect -f test/shell_test.exp
+   PATH=$NJS_BUILD_DIR:\$(PATH) LANG=C.UTF-8 TERM=screen \
+expect -f test/shell_test_njs.exp
 END
 
+if [ $NJS_HAVE_QUICKJS = YES ]; then
+cat << END >> $NJS_MAKEFILE
+
+shell_test:shell_test_njs shell_test_quickjs
+
+shell_test_quickjs:njs test/shell_test.exp
+   PATH=$NJS_BUILD_DIR:\$(PATH) LANG=C.UTF-8 TERM=screen 
NJS_ENGINE=QuickJS \
+expect -f test/shell_test.exp
+END
+
+else
+cat << END >> $NJS_MAKEFILE
+
+shell_test:shell_test_njs
+END
+
+fi
+
 else
 echo " - expect tests are disabled"
 
diff -r 272af619b821 -r cb3e068a511c auto/make
--- a/auto/make Thu Feb 22 17:38:58 2024 -0800
+++ b/auto/make Thu Feb 22 20:25:43 2024 -0800
@@ -241,8 +241,7 @@ lib_test: $NJS_BUILD_DIR/njs_auto_config
$NJS_BUILD_DIR/lvlhsh_unit_test
$NJS_BUILD_DIR/unicode_unit_test
 
-test262: njs
-
+test262_njs: njs
test/test262 --binary=$NJS_BUILD_DIR/njs
 
 unit_test: $NJS_BUILD_DIR/njs_auto_config.h \\
@@ -265,6 +264,26 @@ dist:
&& echo njs-\$(NJS_VER).tar.gz done
 END
 
+if [ $NJS_HAVE_QUICKJS = YES ]; then
+cat << END >> $NJS_MAKEFILE
+
+test262: njs test262_njs test262_quickjs
+
+test262_quickjs: njs
+   NJS_SKIP_LIST="test/js/promise_rejection_tracker_recursive.t.js \\
+test/js/async_exception_in_await.t.js" \\
+   test/test262 --binary='$NJS_BUILD_DIR/njs -n QuickJS -m'
+END
+
+else
+cat << END >> $NJS_MAKEFILE
+
+test262: njs test262_njs
+END
+
+fi
+
+
 njs_ts_deps=`echo $NJS_TS_SRCS \
 | sed -e "s# *\([^ ][^ ]*\)#\1$njs_regex_cont#g"`
 
diff -r 272af619b821 -r cb3e068a511c auto/options
--- a/auto/options  Thu Feb 22 17:38:58 2024 -0800
+++ b/auto/options  Thu Feb 22 20:25:43 2024 -0800
@@ -14,6 +14,7 @@ NJS_DEBUG_GENERATOR=NO
 NJS_ADDRESS_SANITIZER=NO
 NJS_ADDR2LINE=NO
 
+NJS_QUICKJS=YES
 NJS_OPENSSL=YES
 NJS_LIBXML2=YES
 NJS_ZLIB=YES
@@ -47,6 +48,7 @@ do
 --debug-opcode=*)NJS_DEBUG_OPCODE="$value"   ;;
 --debug-generator=*) NJS_DEBUG_GENERATOR="$value";;
 
+--no-quickjs)NJS_QUICKJS=NO  ;;
 --no-openssl)NJS_OPENSSL=NO  ;;
 --no-libxml2)NJS_LIBXML2=NO  ;;
 --no-zlib)   NJS_ZLIB=NO ;;
diff -r 272af619b821 -r cb3e068a511c auto/quickjs
--- /dev/null   Thu Jan 01 00:00:00 1970 +
+++ b/auto/quickjs  Thu Feb 22 20:25:43 2024 -0800
@@ -0,0 +1,55 @@
+
+# Copyright (C) Dmitry Volyntsev
+# Copyright (C) NGINX, Inc.
+
+
+NJS_QUICKJS_LIB=
+NJS_HAVE_QUICKJS=NO
+
+if [ $NJS_QUICKJS = YES ]; then
+njs_found=no
+
+njs_feature="QuickJS library"
+njs_feature_name=NJS_HAVE_QUICKJS
+njs_feature_run=yes
+njs_feature_incs=
+njs_feature_libs=""
+njs_feature_test="#if defined(__GNUC__) && (__GNUC__ >= 8)
+  #pragma GCC diagnostic push
+  #pragma GCC diagnostic ignored \"-Wcast-function-type\"
+  #endif
+
+  #include 
+
+  int main() {
+  JSRuntime *rt;
+
+  rt = JS_NewRuntime();
+  JS_FreeRuntime(rt);
+  return 0;
+ }"
+. auto/feature
+
+if [ $njs_found = no ]; then
+njs_feature="QuickJS library -lquickjs.lto"
+njs_feature_incs="/usr/include/quickjs/"
+njs_feature_libs="-L/usr/lib/quickjs/ -lquickjs.lto -lm -ldl -lpthread"
+
+. auto/feature
+fi
+
+if [ $njs_found = no ]; then
+

[njs] Fixed atob() with non-padded base64 strings.

2024-02-22 Thread Dmitry Volyntsev 
details:   https://hg.nginx.org/njs/rev/272af619b821
branches:  
changeset: 2289:272af619b821
user:  Dmitry Volyntsev 
date:  Thu Feb 22 17:38:58 2024 -0800
description:
Fixed atob() with non-padded base64 strings.

This fixes #695 issue on Github.

diffstat:

 src/njs_string.c |   9 -
 src/test/njs_unit_test.c |  12 
 2 files changed, 20 insertions(+), 1 deletions(-)

diffs (41 lines):

diff -r 0479e5821ab2 -r 272af619b821 src/njs_string.c
--- a/src/njs_string.c  Wed Feb 14 21:34:02 2024 -0800
+++ b/src/njs_string.c  Thu Feb 22 17:38:58 2024 -0800
@@ -4298,7 +4298,14 @@ njs_string_atob(njs_vm_t *vm, njs_value_
 }
 }
 
-len = njs_base64_decoded_length(str.length, pad);
+len = str.length;
+
+if (len % 4 != 0) {
+pad = 4 - (len % 4);
+len += pad;
+}
+
+len = njs_base64_decoded_length(len, pad);
 
 njs_chb_init(, vm->mem_pool);
 
diff -r 0479e5821ab2 -r 272af619b821 src/test/njs_unit_test.c
--- a/src/test/njs_unit_test.c  Wed Feb 14 21:34:02 2024 -0800
+++ b/src/test/njs_unit_test.c  Thu Feb 22 17:38:58 2024 -0800
@@ -10093,6 +10093,18 @@ static njs_unit_test_t  njs_test[] =
   "].every(v => c(atob(v)).toString() == '8,52,86')"),
   njs_str("true")},
 
+{ njs_str("atob('aGVsbG8=')"),
+  njs_str("hello") },
+
+{ njs_str("atob('aGVsbG8')"),
+  njs_str("hello") },
+
+{ njs_str("atob('TQ==')"),
+  njs_str("M") },
+
+{ njs_str("atob('TQ')"),
+  njs_str("M") },
+
 /* Functions. */
 
 { njs_str("return"),
___
nginx-devel mailing list
nginx-devel@nginx.org
https://mailman.nginx.org/mailman/listinfo/nginx-devel