update nginx to 1.17.1

3rd/nchan-1.2.5/README.md → 3rd/nchan-1.2.6/README.md

@@ -22,7 +22,7 @@ In a web browser, you can use Websocket or EventSource natively, or the [NchanSu
 
 ## Status and History
 
-The latest Nchan release is 1.2.5 (March 20, 2019) ([changelog](https://nchan.io/changelog)).
+The latest Nchan release is 1.2.6 (June 18, 2019) ([changelog](https://nchan.io/changelog)).
 
 The first iteration of Nchan was written in 2009-2010 as the [Nginx HTTP Push Module](https://pushmodule.slact.net), and was vastly refactored into its present state in 2014-2016.
 
@@ -1264,10 +1264,10 @@ Additionally, `nchan_stub_status` data is also exposed as variables. These are a
 
 - **nchan_max_channel_id_length** `<number>`  
   arguments: 1  
-  default: `512`  
+  default: `1024`  
   context: http, server, location  
   legacy name: push_max_channel_id_length  
-  > Maximum permissible channel id length (number of characters). Longer ids will be truncated.    
+  > Maximum permissible channel id length (number of characters). This settings applies to ids before they may be split by the `nchan_channel_id_split_delimiter` Requests with a channel id that is too long will receive a `403 Forbidden` response.    
 
 - **nchan_max_channel_subscribers** `<number>`  
   arguments: 1  

3rd/nchan-1.2.5/changelog.txt → 3rd/nchan-1.2.6/changelog.txt

@@ -1,3 +1,12 @@
+1.2.6 (Jun. 18 2019)
+ fix: when using Redis, a channel can stop receiving new messages if 
+      they are published faster than they can be sent to subscribers and the 
+      message buffer is sufficiently small
+ fix: websocket PONG response did not contain PING frame data
+ fix: multiplexed channels may stop receiving messages
+ fix (security): specially crafted websocket publisher requests when using Redis
+      may result in use-after-free memory access
+ fix: Nginx config reload may result in crash when using Redis cluster
 1.2.5 (Mar. 20 2019)
  fix: using multiplexed channels with Redis in backup mode may result in worker crash
  fix: nchan_publisher_channel_id could not be set exclusively in a publisher location

3rd/nchan-1.2.5/src/nchan_commands.rb → 3rd/nchan-1.2.6/src/nchan_commands.rb

@@ -674,8 +674,8 @@
       group: "security",
       tags: ['publisher', 'subscriber', 'channel-id' ],
       value: "<number>",
-      default: 512,
-      info: "Maximum permissible channel id length (number of characters). Longer ids will be truncated."
+      default: 1024,
+      info: "Maximum permissible channel id length (number of characters). This settings applies to ids before they may be split by the `nchan_channel_id_split_delimiter` Requests with a channel id that is too long will receive a `403 Forbidden` response."
 
   nchan_max_channel_subscribers [:main, :srv, :loc],
       :ngx_conf_set_num_slot,

3rd/nchan-1.2.6/src/nchan_version.h

@@ -0,0 +1 @@
+#define NCHAN_VERSION "1.2.6"

3rd/nchan-1.2.5/src/store/memory/memstore.c → 3rd/nchan-1.2.6/src/store/memory/memstore.c

@@ -1069,7 +1069,7 @@ static memstore_channel_head_t *chanhead_memstore_create(ngx_str_t *channel_id,
 #endif
   head->multi=NULL;
   head->multi_count = 0;
-  head->multi_waiting = 0;
+  head->multi_subscribers_pending = 0;
 
   //set channel
   ngx_memcpy(&head->channel.id, &head->id, sizeof(ngx_str_t));
@@ -1088,7 +1088,6 @@ static memstore_channel_head_t *chanhead_memstore_create(ngx_str_t *channel_id,
 
   head->spooler.running=0;
 
-  head->multi_waiting = 0;
   if((n = parse_multi_id(&head->id, ids)) > 0) {
     memstore_multi_t          *multi;
     int16_t                   *tags_latest, *tags_oldest;
@@ -1127,11 +1126,13 @@ static memstore_channel_head_t *chanhead_memstore_create(ngx_str_t *channel_id,
     }
 
     head->multi_count = n;
+    head->multi_subscribers_pending = n;
     head->multi = multi;
     head->owner = head->slot; //multis are always self-owned
   }
   else {
     head->multi_count = 0;
+    head->multi_subscribers_pending = n;
 
     head->latest_msgid.time = 0;
     head->latest_msgid.tag.fixed[0] = 0;

3rd/nchan-1.2.5/src/store/memory/store-private.h → 3rd/nchan-1.2.6/src/store/memory/store-private.h

@@ -57,7 +57,7 @@ struct memstore_channel_head_s {
   uint16_t                        reserved;
 #endif
 
-  uint8_t                         multi_waiting;
+  uint8_t                         multi_subscribers_pending;
   uint8_t                         multi_count;
   memstore_multi_t               *multi;
 

3rd/nchan-1.2.5/src/store/redis/rdsstore.c → 3rd/nchan-1.2.6/src/store/redis/rdsstore.c

@@ -1977,6 +1977,7 @@ static void nchan_store_create_main_conf(ngx_conf_t *cf, nchan_main_conf_t *mcf)
 
   //reset redis_conf_head for reloads
   redis_conf_head = NULL;
+  nodeset_destroy_all(); //reset all nodesets before loading config
 }
 
 void redis_store_prepare_to_exit_worker() {
@@ -2021,7 +2022,6 @@ static void nchan_store_exit_worker(ngx_cycle_t *cycle) {
 
   //OLD
   //rbtree_walk(&redis_data_tree, (rbtree_walk_callback_pt )redis_data_tree_exiter_stage2, &chanheads);
-
   nodeset_destroy_all();
 
   //OLD

3rd/nchan-1.2.5/src/store/redis/redis_nodeset.c → 3rd/nchan-1.2.6/src/store/redis/redis_nodeset.c

@@ -881,7 +881,6 @@ void node_set_role(redis_node_t *node, redis_node_role_t role) {
         node->peers.master = NULL;
       }
       for(cur = nchan_list_first(&node->peers.slaves); cur != NULL; cur = nchan_list_next(cur)) {
-        assert((*cur)->peers.master == node);
         node_remove_peer(*cur, node);
       }
       nchan_list_empty(&node->peers.slaves);

3rd/nchan-1.2.5/src/store/spool.c → 3rd/nchan-1.2.6/src/store/spool.c

@@ -388,6 +388,7 @@ static ngx_int_t spool_fetch_msg_callback(ngx_int_t code, nchan_msg_t *msg, fetc
         if(spool->reserved == 0) {
           destroy_spool(spool);
         }
+        spool_fetch_msg(nuspool);
       }
       else if(spool->id.tagcount == 1 && nchan_compare_msgids(&spool->id, &oldest_msg_id) == 0) {
         // oldest msgid not found or expired. that means there are no messages in this channel, 

3rd/nchan-1.2.5/src/subscribers/memstore_multi.c → 3rd/nchan-1.2.6/src/subscribers/memstore_multi.c

@@ -44,9 +44,9 @@ static void change_sub_count(memstore_channel_head_t *ch, ngx_int_t n) {
 
 static ngx_int_t sub_enqueue(ngx_int_t status, void *ptr, sub_data_t *d) {
   DBG("%p enqueued (%p %V %i) %V", d->multi->sub, d->multi_chanhead, &d->multi_chanhead->id, d->n, &d->multi->id);
-  assert(d->multi_chanhead->multi_waiting > 0);
-  d->multi_chanhead->multi_waiting --;
-  if(d->multi_chanhead->multi_waiting == 0) {
+  assert(d->multi_chanhead->multi_subscribers_pending > 0);
+  d->multi_chanhead->multi_subscribers_pending --;
+  if(d->multi_chanhead->multi_subscribers_pending == 0) {
     memstore_ready_chanhead_unless_stub(d->multi_chanhead);
   }
 
@@ -56,7 +56,7 @@ static ngx_int_t sub_enqueue(ngx_int_t status, void *ptr, sub_data_t *d) {
 static ngx_int_t sub_dequeue(ngx_int_t status, void *ptr, sub_data_t* d) {
   DBG("%p dequeued (%p %V %i) %V", d->multi->sub, d->multi_chanhead, &d->multi_chanhead->id, d->n, &d->multi->id);
   d->multi_chanhead->status = WAITING;
-  d->multi_chanhead->multi_waiting++;
+  d->multi_chanhead->multi_subscribers_pending++;
   d->multi->sub = NULL;
 
   return NGX_OK;
@@ -152,18 +152,19 @@ subscriber_t *memstore_multi_subscriber_create(memstore_channel_head_t *chanhead
   sub->destroy_after_dequeue = 1;
   sub->dequeue_after_response = 0;
 
+  //DBG("create multi sub for %V (n=%i) pending=%i", &chanhead->multi[n].id, n, chanhead->multi_subscribers_pending);
   d->multi = &chanhead->multi[n];
   d->multi->sub = sub;
   d->multi_chanhead = chanhead;
   d->n = n;
-  chanhead->multi_waiting++;  
+  d->target_chanhead = target_ch;
+
+  assert(chanhead->multi_subscribers_pending > 0);
 
   target_ch->spooler.fn->add(&target_ch->spooler, sub);
 
   multi_subs = chanhead->shared->sub_count;
-
-  d->target_chanhead = target_ch;
-
+
   change_sub_count(target_ch, multi_subs);
 
   DBG("%p created with privdata %p", d->multi->sub, d);

3rd/nchan-1.2.5/src/subscribers/websocket.c → 3rd/nchan-1.2.6/src/subscribers/websocket.c

@@ -472,7 +472,7 @@ static ngx_int_t websocket_publish_callback(ngx_int_t status, nchan_channel_t *c
   }
   d = NULL;
 
-  if(websocket_release(&fsub->sub, 0) == NGX_ABORT) {
+  if(websocket_release(&fsub->sub, 0) == NGX_ABORT || fsub->sub.status == DEAD) {
     //zombie publisher
     //nothing more to do, we're finished here
     return NGX_OK;
@@ -839,10 +839,6 @@ ngx_int_t websocket_subscriber_destroy(subscriber_t *sub) {
 
     websocket_delete_timers(fsub);
     nchan_free_msg_id(&sub->last_msgid);
-    //debug 
-    if(fsub->cln) {
-      fsub->cln->data = NULL;
-    }
     //ngx_memset(fsub, 0x13, sizeof(*fsub));
     ws_destroy_msgpool(fsub);
     if(fsub->deflate.zstream_in) {
@@ -1155,9 +1151,9 @@ static ngx_int_t websocket_reserve(subscriber_t *self) {
 }
 static ngx_int_t websocket_release(subscriber_t *self, uint8_t nodestroy) {
   full_subscriber_t  *fsub = (full_subscriber_t  *)self;
+  //DBG("%p release for req %p, reservations: %i", self, fsub->sub.request, self->reserved);
   assert(self->reserved > 0);
   self->reserved--;
-  //DBG("%p release for req %p, reservations: %i", self, fsub->sub.request, self->reserved);
   if(nodestroy == 0 && fsub->awaiting_destruction == 1 && self->reserved == 0) {
     websocket_subscriber_destroy(self);
     return NGX_ABORT;
@@ -1305,8 +1301,6 @@ static void websocket_reading(ngx_http_request_t *r) {
   ngx_connection_t           *c;
   ngx_buf_t                  *msgbuf, buf;
   //ngx_str_t                 msg_in_str;
-  int                         close_code;
-  ngx_str_t                   close_reason;
 
   c = r->connection;
   rev = c->read;
@@ -1389,66 +1383,75 @@ static void websocket_reading(ngx_http_request_t *r) {
           case WEBSOCKET_OPCODE_PING:
           case WEBSOCKET_OPCODE_PONG:
           case WEBSOCKET_OPCODE_CLOSE:
-            if (frame->payload_len == 0) {
-              frame->payload = NULL;
-            }
-            else if(frame->payload_len < 1024) {
-              u_char payloadbuf[1024];
-              frame->payload = payloadbuf;
-              frame->last = frame->payload;
-              set_buffer(&buf, frame->payload, frame->last, frame->payload_len);
-              if ((rc = ws_recv(c, rev, &buf, frame->payload_len)) != NGX_OK) {
-                ERR("ws_recv NOT OK when receiving payload");
-                goto exit;
-              }
-              if (frame->mask) {
-                websocket_unmask_frame(frame);
-              }
-            }
-            else {
-              //ERROR: frame too big
-              websocket_send_close_frame(fsub, CLOSE_MESSAGE_TOO_BIG, NULL);
-              return websocket_reading_finalize(r);
-            }
-
-            switch(frame->opcode) {
-              case WEBSOCKET_OPCODE_PING:
-                DBG("%p got pinged", fsub);
-                websocket_send_frame(fsub, WEBSOCKET_PONG_LAST_FRAME_BYTE, 0, NULL);
-                break;
-
-              case WEBSOCKET_OPCODE_PONG:
-                DBG("%p Got ponged", fsub);
-                if(fsub->awaiting_pong) {
-                  fsub->awaiting_pong = 0;
-                }
-                // unsolicited pongs are ok too as per 
-                // https://tools.ietf.org/html/rfc6455#page-37
-                break;
+            { //block-scope these vars
+              u_char                  payloadbuf[1024];
+              int                     close_code;
+              ngx_str_t               payload_str;
+              nchan_buf_and_chain_t  *bc;
 
-              case WEBSOCKET_OPCODE_CLOSE:
-                fsub->received_close_frame = 1;
-                if(frame->payload_len >= 2) {
-                  ngx_memcpy(&close_code, frame->payload, 2);
-                  close_code = ntohs(close_code);
-                  close_reason.data = frame->payload + 2;
-                  close_reason.len = frame->payload_len - 2;
-                }
-                else {
-                  close_code = 0;
-                  close_reason.data = (u_char *)"";
-                  close_reason.len = 0;
+              if (frame->payload_len == 0) {
+                frame->payload = NULL;
+              }
+              else if(frame->payload_len < 1024) {
+                frame->payload = payloadbuf;
+                frame->last = frame->payload;
+                set_buffer(&buf, frame->payload, frame->last, frame->payload_len);
+                if ((rc = ws_recv(c, rev, &buf, frame->payload_len)) != NGX_OK) {
+                  ERR("ws_recv NOT OK when receiving payload");
+                  goto exit;
                 }
-                DBG("%p wants to close (code %i reason \"%V\")", fsub, close_code, &close_reason);
-                if(!fsub->sent_close_frame) {
-                  websocket_send_close_frame(fsub, close_code, &close_reason);
+                if (frame->mask) {
+                  websocket_unmask_frame(frame);
                 }
+              }
+              else {
+                //ERROR: frame too big
+                websocket_send_close_frame(fsub, CLOSE_MESSAGE_TOO_BIG, NULL);
                 return websocket_reading_finalize(r);
-                break; //good practice?
+              }
+
+              switch(frame->opcode) {
+                case WEBSOCKET_OPCODE_PING:
+                  bc = nchan_bufchain_pool_reserve(fsub->ctx->bcp, 1);
+                  DBG("%p got pinged", fsub);
+                  init_buf(&bc->buf, 1);
+                  payload_str.data = frame->payload;
+                  payload_str.len = frame->payload_len;
+                  set_buf_to_str(&bc->buf, &payload_str);
+                  websocket_send_frame(fsub, WEBSOCKET_PONG_LAST_FRAME_BYTE, frame->payload_len, &bc->chain);
+                  break;
+
+                case WEBSOCKET_OPCODE_PONG:
+                  DBG("%p Got ponged", fsub);
+                  if(fsub->awaiting_pong) {
+                    fsub->awaiting_pong = 0;
+                  }
+                  // unsolicited pongs are ok too as per 
+                  // https://tools.ietf.org/html/rfc6455#page-37
+                  break;
+
+                case WEBSOCKET_OPCODE_CLOSE:
+                  fsub->received_close_frame = 1;
+                  if(frame->payload_len >= 2) {
+                    ngx_memcpy(&close_code, frame->payload, 2);
+                    close_code = ntohs(close_code);
+                    payload_str.data = frame->payload + 2;
+                    payload_str.len = frame->payload_len - 2;
+                  }
+                  else {
+                    close_code = 0;
+                    payload_str.data = (u_char *)"";
+                    payload_str.len = 0;
+                  }
+                  DBG("%p wants to close (code %i reason \"%V\")", fsub, close_code, &payload_str);
+                  if(!fsub->sent_close_frame) {
+                    websocket_send_close_frame(fsub, close_code, &payload_str);
+                  }
+                  return websocket_reading_finalize(r);
+                  break; //good practice?
+              }
             }
-
             break;
-
           case WEBSOCKET_OPCODE_TEXT:
           case WEBSOCKET_OPCODE_BINARY:
 

CHANGES

@@ -1,4 +1,21 @@
 
+Changes with nginx 1.17.1                                        25 Jun 2019
+
+    *) Feature: the "limit_req_dry_run" directive.
+
+    *) Feature: when using the "hash" directive inside the "upstream" block
+       an empty hash key now triggers round-robin balancing.
+       Thanks to Niklas Keller.
+
+    *) Bugfix: a segmentation fault might occur in a worker process if
+       caching was used along with the "image_filter" directive, and errors
+       with code 415 were redirected with the "error_page" directive; the
+       bug had appeared in 1.11.10.
+
+    *) Bugfix: a segmentation fault might occur in a worker process if
+       embedded perl was used; the bug had appeared in 1.7.3.
+
+
 Changes with nginx 1.17.0                                        21 May 2019
 
     *) Feature: variables support in the "limit_rate" and "limit_rate_after"

CHANGES.ru

@@ -1,4 +1,22 @@
 
+Изменения в nginx 1.17.1                                          25.06.2019
+
+    *) Добавление: директива limit_req_dry_run.
+
+    *) Добавление: при использовании директивы hash в блоке upstream пустой
+       ключ хэширования теперь приводит к переключению на round-robin
+       балансировку.
+       Спасибо Niklas Keller.
+
+    *) Исправление: в рабочем процессе мог произойти segmentation fault,
+       если использовалось кэширование и директива image_filter, а ошибки с
+       кодом 415 перенаправлялись с помощь директивы error_page; ошибка
+       появилась в 1.11.10.
+
+    *) Исправление: в рабочем процессе мог произойти segmentation fault,
+       если использовался встроенный перл; ошибка появилась в 1.7.3.
+
+
 Изменения в nginx 1.17.0                                          21.05.2019
 
     *) Добавление: директивы limit_rate и limit_rate_after поддерживают

install_demo.sh

@@ -18,7 +18,7 @@ if ! test -f Makefile;then
                 --with-http-hi-lua-version=lua5.3                   \
                 --add-module=module/ngx_http_hi_module              \
                 --add-module=module/ngx_http_autoblacklist_module   \
-                --add-module=3rd/nchan-1.2.5                        \
+                --add-module=3rd/nchan-1.2.6                        \
                 --add-module=3rd/nginx-rtmp-module-1.2.1            
 else
     echo ready.