update nginx to v1.21.1

webcpp · Jul 8, 2021 · 9804fac · 9804fac
1 parent e6145e2
commit 9804fac
Show file tree

Hide file tree

Showing 22 changed files with 303 additions and 193 deletions.
diff --git a/CHANGES b/CHANGES
@@ -1,4 +1,36 @@
 
+Changes with nginx 1.21.1                                        06 Jul 2021
+
+    *) Change: now nginx always returns an error for the CONNECT method.
+
+    *) Change: now nginx always returns an error if both "Content-Length"
+       and "Transfer-Encoding" header lines are present in the request.
+
+    *) Change: now nginx always returns an error if spaces or control
+       characters are used in the request line.
+
+    *) Change: now nginx always returns an error if spaces or control
+       characters are used in a header name.
+
+    *) Change: now nginx always returns an error if spaces or control
+       characters are used in the "Host" request header line.
+
+    *) Change: optimization of configuration testing when using many
+       listening sockets.
+
+    *) Bugfix: nginx did not escape """, "<", ">", "\", "^", "`", "{", "|",
+       and "}" characters when proxying with changed URI.
+
+    *) Bugfix: SSL variables might be empty when used in logs; the bug had
+       appeared in 1.19.5.
+
+    *) Bugfix: keepalive connections with gRPC backends might not be closed
+       after receiving a GOAWAY frame.
+
+    *) Bugfix: reduced memory consumption for long-lived requests when
+       proxying with more than 64 buffers.
+
+
 Changes with nginx 1.21.0                                        25 May 2021
 
     *) Security: 1-byte memory overwrite might occur during DNS server

diff --git a/CHANGES.ru b/CHANGES.ru
@@ -1,4 +1,38 @@
 
+Изменения в nginx 1.21.1                                          06.07.2021
+
+    *) Изменение: теперь nginx для метода CONNECT всегда возвращает ошибку.
+
+    *) Изменение: теперь nginx всегда возвращает ошибку, если в запросе
+       одновременно присутствуют строки заголовка "Content-Length" и
+       "Transfer-Encoding".
+
+    *) Изменение: теперь nginx всегда возвращает ошибку, если в строке
+       запроса используются пробелы или управляющие символы.
+
+    *) Изменение: теперь nginx всегда возвращает ошибку, если в имени
+       заголовка используются пробелы или управляющие символы.
+
+    *) Изменение: теперь nginx всегда возвращает ошибку, если в строке
+       "Host" заголовка запроса используются пробелы или управляющие
+       символы.
+
+    *) Изменение: оптимизация тестирования конфигурации при использовании
+       большого количества listen-сокетов.
+
+    *) Исправление: nginx не экранировал символы """, "<", ">", "\", "^",
+       "`", "{", "|", и "}" при проксировании с изменением URI запроса.
+
+    *) Исправление: SSL-переменные могли быть пустыми при записи в лог;
+       ошибка появилась в 1.19.5.
+
+    *) Исправление: keepalive-соединения с gRPC-бэкендами могли не
+       закрываться после получения GOAWAY-фрейма.
+
+    *) Исправление: уменьшено потребление памяти для долгоживущих запросов
+       при проксировании с использованием более 64 буферов.
+
+
 Изменения в nginx 1.21.0                                          25.05.2021
 
     *) Безопасность: при использовании директивы resolver во время обработки

diff --git a/contrib/vim/syntax/nginx.vim b/contrib/vim/syntax/nginx.vim
@@ -152,6 +152,7 @@ syn keyword ngxDirective contained auth_jwt_header_set
 syn keyword ngxDirective contained auth_jwt_key_file
 syn keyword ngxDirective contained auth_jwt_key_request
 syn keyword ngxDirective contained auth_jwt_leeway
+syn keyword ngxDirective contained auth_jwt_type
 syn keyword ngxDirective contained auth_request
 syn keyword ngxDirective contained auth_request_set
 syn keyword ngxDirective contained autoindex
@@ -332,16 +333,20 @@ syn keyword ngxDirective contained index
 syn keyword ngxDirective contained iocp_threads
 syn keyword ngxDirective contained ip_hash
 syn keyword ngxDirective contained js_access
+syn keyword ngxDirective contained js_body_filter
 syn keyword ngxDirective contained js_content
 syn keyword ngxDirective contained js_filter
+syn keyword ngxDirective contained js_header_filter
 syn keyword ngxDirective contained js_import
 syn keyword ngxDirective contained js_include
 syn keyword ngxDirective contained js_path
 syn keyword ngxDirective contained js_preread
 syn keyword ngxDirective contained js_set
+syn keyword ngxDirective contained js_var
 syn keyword ngxDirective contained keepalive
 syn keyword ngxDirective contained keepalive_disable
 syn keyword ngxDirective contained keepalive_requests
+syn keyword ngxDirective contained keepalive_time
 syn keyword ngxDirective contained keepalive_timeout
 syn keyword ngxDirective contained keyval
 syn keyword ngxDirective contained keyval_zone
@@ -373,6 +378,7 @@ syn keyword ngxDirective contained log_subrequest
 syn keyword ngxDirective contained map_hash_bucket_size
 syn keyword ngxDirective contained map_hash_max_size
 syn keyword ngxDirective contained master_process
+syn keyword ngxDirective contained max_errors
 syn keyword ngxDirective contained max_ranges
 syn keyword ngxDirective contained memcached_bind
 syn keyword ngxDirective contained memcached_buffer_size
@@ -1080,6 +1086,8 @@ syn keyword ngxDirectiveThirdParty contained nchan_subscriber_compound_etag_mess
 syn keyword ngxDirectiveThirdParty contained nchan_subscribe_request
 syn keyword ngxDirectiveThirdParty contained nchan_subscriber_first_message
 syn keyword ngxDirectiveThirdParty contained nchan_subscriber_http_raw_stream_separator
+syn keyword ngxDirectiveThirdParty contained nchan_subscriber_info
+syn keyword ngxDirectiveThirdParty contained nchan_subscriber_info_string
 syn keyword ngxDirectiveThirdParty contained nchan_subscriber_last_message_id
 syn keyword ngxDirectiveThirdParty contained nchan_subscriber_location
 syn keyword ngxDirectiveThirdParty contained nchan_subscriber_message_id_custom_etag_header
@@ -2368,9 +2376,9 @@ syn keyword ngxDirectiveThirdParty contained websockify_send_timeout
 
 " IP2Location Nginx
 " https://github.com/ip2location/ip2location-nginx
-syn keyword ngxDirectiveThirdParty contained ip2location_proxy
-syn keyword ngxDirectiveThirdParty contained ip2location_proxy_recursive
+syn keyword ngxDirectiveThirdParty contained ip2location_addresstype
 syn keyword ngxDirectiveThirdParty contained ip2location_areacode
+syn keyword ngxDirectiveThirdParty contained ip2location_category
 syn keyword ngxDirectiveThirdParty contained ip2location_city
 syn keyword ngxDirectiveThirdParty contained ip2location_country_long
 syn keyword ngxDirectiveThirdParty contained ip2location_country_short
@@ -2384,6 +2392,8 @@ syn keyword ngxDirectiveThirdParty contained ip2location_mcc
 syn keyword ngxDirectiveThirdParty contained ip2location_mnc
 syn keyword ngxDirectiveThirdParty contained ip2location_mobilebrand
 syn keyword ngxDirectiveThirdParty contained ip2location_netspeed
+syn keyword ngxDirectiveThirdParty contained ip2location_proxy
+syn keyword ngxDirectiveThirdParty contained ip2location_proxy_recursive
 syn keyword ngxDirectiveThirdParty contained ip2location_region
 syn keyword ngxDirectiveThirdParty contained ip2location_timezone
 syn keyword ngxDirectiveThirdParty contained ip2location_usagetype
@@ -2403,6 +2413,7 @@ syn keyword ngxDirectiveThirdParty contained ip2proxy_domain
 syn keyword ngxDirectiveThirdParty contained ip2proxy_isp
 syn keyword ngxDirectiveThirdParty contained ip2proxy_is_proxy
 syn keyword ngxDirectiveThirdParty contained ip2proxy_last_seen
+syn keyword ngxDirectiveThirdParty contained ip2proxy_provider
 syn keyword ngxDirectiveThirdParty contained ip2proxy_proxy
 syn keyword ngxDirectiveThirdParty contained ip2proxy_proxy_recursive
 syn keyword ngxDirectiveThirdParty contained ip2proxy_proxy_type

diff --git a/src/core/nginx.h b/src/core/nginx.h
@@ -9,8 +9,8 @@
 #define _NGINX_H_INCLUDED_
 
 
-#define nginx_version      1021000
-#define NGINX_VERSION      "1.21.0"
+#define nginx_version      1021001
+#define NGINX_VERSION      "1.21.1"
 #define NGINX_VER          "nginx/" NGINX_VERSION
 
 #ifdef NGX_BUILD

diff --git a/src/core/ngx_connection.c b/src/core/ngx_connection.c
@@ -495,21 +495,24 @@ ngx_open_listening_sockets(ngx_cycle_t *cycle)
                 return NGX_ERROR;
             }
 
-            if (setsockopt(s, SOL_SOCKET, SO_REUSEADDR,
-                           (const void *) &reuseaddr, sizeof(int))
-                == -1)
-            {
-                ngx_log_error(NGX_LOG_EMERG, log, ngx_socket_errno,
-                              "setsockopt(SO_REUSEADDR) %V failed",
-                              &ls[i].addr_text);
+            if (ls[i].type != SOCK_DGRAM || !ngx_test_config) {
 
-                if (ngx_close_socket(s) == -1) {
+                if (setsockopt(s, SOL_SOCKET, SO_REUSEADDR,
+                               (const void *) &reuseaddr, sizeof(int))
+                    == -1)
+                {
                     ngx_log_error(NGX_LOG_EMERG, log, ngx_socket_errno,
-                                  ngx_close_socket_n " %V failed",
+                                  "setsockopt(SO_REUSEADDR) %V failed",
                                   &ls[i].addr_text);
-                }
 
-                return NGX_ERROR;
+                    if (ngx_close_socket(s) == -1) {
+                        ngx_log_error(NGX_LOG_EMERG, log, ngx_socket_errno,
+                                      ngx_close_socket_n " %V failed",
+                                      &ls[i].addr_text);
+                    }
+
+                    return NGX_ERROR;
+                }
             }
 
 #if (NGX_HAVE_REUSEPORT)

diff --git a/src/core/ngx_rbtree.h b/src/core/ngx_rbtree.h
@@ -47,6 +47,9 @@ struct ngx_rbtree_s {
     (tree)->sentinel = s;                                                     \
     (tree)->insert = i
 
+#define ngx_rbtree_data(node, type, link)                                     \
+    (type *) ((u_char *) (node) - offsetof(type, link))
+
 
 void ngx_rbtree_insert(ngx_rbtree_t *tree, ngx_rbtree_node_t *node);
 void ngx_rbtree_delete(ngx_rbtree_t *tree, ngx_rbtree_node_t *node);

diff --git a/src/core/ngx_resolver.c b/src/core/ngx_resolver.c
@@ -51,9 +51,7 @@ typedef struct {
 } ngx_resolver_an_t;
 
 
-#define ngx_resolver_node(n)                                                 \
-    (ngx_resolver_node_t *)                                                  \
-        ((u_char *) (n) - offsetof(ngx_resolver_node_t, node))
+#define ngx_resolver_node(n)  ngx_rbtree_data(n, ngx_resolver_node_t, node)
 
 
 static ngx_int_t ngx_udp_connect(ngx_resolver_connection_t *rec);

diff --git a/src/core/ngx_string.c b/src/core/ngx_string.c
@@ -1493,39 +1493,52 @@ ngx_escape_uri(u_char *dst, u_char *src, size_t size, ngx_uint_t type)
     uint32_t       *escape;
     static u_char   hex[] = "0123456789ABCDEF";
 
-                    /* " ", "#", "%", "?", %00-%1F, %7F-%FF */
+    /*
+     * Per RFC 3986 only the following chars are allowed in URIs unescaped:
+     *
+     * unreserved    = ALPHA / DIGIT / "-" / "." / "_" / "~"
+     * gen-delims    = ":" / "/" / "?" / "#" / "[" / "]" / "@"
+     * sub-delims    = "!" / "$" / "&" / "'" / "(" / ")"
+     *               / "*" / "+" / "," / ";" / "="
+     *
+     * And "%" can appear as a part of escaping itself.  The following
+     * characters are not allowed and need to be escaped: %00-%1F, %7F-%FF,
+     * " ", """, "<", ">", "\", "^", "`", "{", "|", "}".
+     */
+
+                    /* " ", "#", "%", "?", not allowed */
 
     static uint32_t   uri[] = {
         0xffffffff, /* 1111 1111 1111 1111  1111 1111 1111 1111 */
 
                     /* ?>=< ;:98 7654 3210  /.-, +*)( '&%$ #"!  */
-        0x80000029, /* 1000 0000 0000 0000  0000 0000 0010 1001 */
+        0xd000002d, /* 1101 0000 0000 0000  0000 0000 0010 1101 */
 
                     /* _^]\ [ZYX WVUT SRQP  ONML KJIH GFED CBA@ */
-        0x00000000, /* 0000 0000 0000 0000  0000 0000 0000 0000 */
+        0x50000000, /* 0101 0000 0000 0000  0000 0000 0000 0000 */
 
                     /*  ~}| {zyx wvut srqp  onml kjih gfed cba` */
-        0x80000000, /* 1000 0000 0000 0000  0000 0000 0000 0000 */
+        0xb8000001, /* 1011 1000 0000 0000  0000 0000 0000 0001 */
 
         0xffffffff, /* 1111 1111 1111 1111  1111 1111 1111 1111 */
         0xffffffff, /* 1111 1111 1111 1111  1111 1111 1111 1111 */
         0xffffffff, /* 1111 1111 1111 1111  1111 1111 1111 1111 */
         0xffffffff  /* 1111 1111 1111 1111  1111 1111 1111 1111 */
     };
 
-                    /* " ", "#", "%", "&", "+", "?", %00-%1F, %7F-%FF */
+                    /* " ", "#", "%", "&", "+", ";", "?", not allowed */
 
     static uint32_t   args[] = {
         0xffffffff, /* 1111 1111 1111 1111  1111 1111 1111 1111 */
 
                     /* ?>=< ;:98 7654 3210  /.-, +*)( '&%$ #"!  */
-        0x88000869, /* 1000 1000 0000 0000  0000 1000 0110 1001 */
+        0xd800086d, /* 1101 1000 0000 0000  0000 1000 0110 1101 */
 
                     /* _^]\ [ZYX WVUT SRQP  ONML KJIH GFED CBA@ */
-        0x00000000, /* 0000 0000 0000 0000  0000 0000 0000 0000 */
+        0x50000000, /* 0101 0000 0000 0000  0000 0000 0000 0000 */
 
                     /*  ~}| {zyx wvut srqp  onml kjih gfed cba` */
-        0x80000000, /* 1000 0000 0000 0000  0000 0000 0000 0000 */
+        0xb8000001, /* 1011 1000 0000 0000  0000 0000 0000 0001 */
 
         0xffffffff, /* 1111 1111 1111 1111  1111 1111 1111 1111 */
         0xffffffff, /* 1111 1111 1111 1111  1111 1111 1111 1111 */
@@ -1553,39 +1566,39 @@ ngx_escape_uri(u_char *dst, u_char *src, size_t size, ngx_uint_t type)
         0xffffffff  /* 1111 1111 1111 1111  1111 1111 1111 1111 */
     };
 
-                    /* " ", "#", """, "%", "'", %00-%1F, %7F-%FF */
+                    /* " ", "#", """, "%", "'", not allowed */
 
     static uint32_t   html[] = {
         0xffffffff, /* 1111 1111 1111 1111  1111 1111 1111 1111 */
 
                     /* ?>=< ;:98 7654 3210  /.-, +*)( '&%$ #"!  */
-        0x000000ad, /* 0000 0000 0000 0000  0000 0000 1010 1101 */
+        0x500000ad, /* 0101 0000 0000 0000  0000 0000 1010 1101 */
 
                     /* _^]\ [ZYX WVUT SRQP  ONML KJIH GFED CBA@ */
-        0x00000000, /* 0000 0000 0000 0000  0000 0000 0000 0000 */
+        0x50000000, /* 0101 0000 0000 0000  0000 0000 0000 0000 */
 
                     /*  ~}| {zyx wvut srqp  onml kjih gfed cba` */
-        0x80000000, /* 1000 0000 0000 0000  0000 0000 0000 0000 */
+        0xb8000001, /* 1011 1000 0000 0000  0000 0000 0000 0001 */
 
         0xffffffff, /* 1111 1111 1111 1111  1111 1111 1111 1111 */
         0xffffffff, /* 1111 1111 1111 1111  1111 1111 1111 1111 */
         0xffffffff, /* 1111 1111 1111 1111  1111 1111 1111 1111 */
         0xffffffff  /* 1111 1111 1111 1111  1111 1111 1111 1111 */
     };
 
-                    /* " ", """, "'", %00-%1F, %7F-%FF */
+                    /* " ", """, "'", not allowed */
 
     static uint32_t   refresh[] = {
         0xffffffff, /* 1111 1111 1111 1111  1111 1111 1111 1111 */
 
                     /* ?>=< ;:98 7654 3210  /.-, +*)( '&%$ #"!  */
-        0x00000085, /* 0000 0000 0000 0000  0000 0000 1000 0101 */
+        0x50000085, /* 0101 0000 0000 0000  0000 0000 1000 0101 */
 
                     /* _^]\ [ZYX WVUT SRQP  ONML KJIH GFED CBA@ */
-        0x00000000, /* 0000 0000 0000 0000  0000 0000 0000 0000 */
+        0x50000000, /* 0101 0000 0000 0000  0000 0000 0000 0000 */
 
                     /*  ~}| {zyx wvut srqp  onml kjih gfed cba` */
-        0x80000000, /* 1000 0000 0000 0000  0000 0000 0000 0000 */
+        0xd8000001, /* 1011 1000 0000 0000  0000 0000 0000 0001 */
 
         0xffffffff, /* 1111 1111 1111 1111  1111 1111 1111 1111 */
         0xffffffff, /* 1111 1111 1111 1111  1111 1111 1111 1111 */

diff --git a/src/event/ngx_event.c b/src/event/ngx_event.c
@@ -441,20 +441,23 @@ ngx_event_init_conf(ngx_cycle_t *cycle, void *conf)
 
 #if (NGX_HAVE_REUSEPORT)
 
-    ls = cycle->listening.elts;
-    for (i = 0; i < cycle->listening.nelts; i++) {
+    if (!ngx_test_config) {
 
-        if (!ls[i].reuseport || ls[i].worker != 0) {
-            continue;
-        }
+        ls = cycle->listening.elts;
+        for (i = 0; i < cycle->listening.nelts; i++) {
 
-        if (ngx_clone_listening(cycle, &ls[i]) != NGX_OK) {
-            return NGX_CONF_ERROR;
-        }
+            if (!ls[i].reuseport || ls[i].worker != 0) {
+                continue;
+            }
 
-        /* cloning may change cycle->listening.elts */
+            if (ngx_clone_listening(cycle, &ls[i]) != NGX_OK) {
+                return NGX_CONF_ERROR;
+            }
 
-        ls = cycle->listening.elts;
+            /* cloning may change cycle->listening.elts */
+
+            ls = cycle->listening.elts;
+        }
     }
 
 #endif