update nginx to v1.21.0

CHANGES

@@ -1,7 +1,30 @@
 
-Changes with nginx 1.20.0                                        20 Apr 2021
+Changes with nginx 1.21.0                                        25 May 2021
 
-    *) 1.20.x stable branch.
+    *) Security: 1-byte memory overwrite might occur during DNS server
+       response processing if the "resolver" directive was used, allowing an
+       attacker who is able to forge UDP packets from the DNS server to
+       cause worker process crash or, potentially, arbitrary code execution
+       (CVE-2021-23017).
+
+    *) Feature: variables support in the "proxy_ssl_certificate",
+       "proxy_ssl_certificate_key" "grpc_ssl_certificate",
+       "grpc_ssl_certificate_key", "uwsgi_ssl_certificate", and
+       "uwsgi_ssl_certificate_key" directives.
+
+    *) Feature: the "max_errors" directive in the mail proxy module.
+
+    *) Feature: the mail proxy module supports POP3 and IMAP pipelining.
+
+    *) Feature: the "fastopen" parameter of the "listen" directive in the
+       stream module.
+       Thanks to Anbang Wen.
+
+    *) Bugfix: special characters were not escaped during automatic redirect
+       with appended trailing slash.
+
+    *) Bugfix: connections with clients in the mail proxy module might be
+       closed unexpectedly when using SMTP pipelining.
 
 
 Changes with nginx 1.19.10                                       13 Apr 2021

CHANGES.ru

@@ -1,7 +1,30 @@
 
-Изменения в nginx 1.20.0                                          20.04.2021
+Изменения в nginx 1.21.0                                          25.05.2021
 
-    *) Стабильная ветка 1.20.x.
+    *) Безопасность: при использовании директивы resolver во время обработки
+       ответа DNS-сервера могла происходить перезапись одного байта памяти,
+       что позволяло атакующему, имеющему возможность подделывать UDP-пакеты
+       от DNS-сервера, вызвать падение рабочего процесса или, потенциально,
+       выполнение произвольного кода (CVE-2021-23017).
+
+    *) Добавление: директивы proxy_ssl_certificate,
+       proxy_ssl_certificate_key, grpc_ssl_certificate,
+       grpc_ssl_certificate_key, uwsgi_ssl_certificate и
+       uwsgi_ssl_certificate_key поддерживают переменные.
+
+    *) Добавление: директива max_errors в почтовом прокси-сервере.
+
+    *) Добавление: почтовый прокси-сервер поддерживает POP3 и IMAP
+       pipelining.
+
+    *) Добавление: параметр fastopen директивы listen в модуле stream.
+       Спасибо Anbang Wen.
+
+    *) Исправление: специальные символы не экранировались при автоматическом
+       перенаправлении с добавлением завершающего слэша.
+
+    *) Исправление: при использовании SMTP pipelining соединения с клиентами
+       в почтовом прокси-сервере могли неожиданно закрываться.
 
 
 Изменения в nginx 1.19.10                                         13.04.2021

conf/mime.types

@@ -51,6 +51,7 @@ types {
     application/vnd.openxmlformats-officedocument.wordprocessingml.document
                                                      docx;
     application/vnd.wap.wmlc                         wmlc;
+    application/wasm                                 wasm;
     application/x-7z-compressed                      7z;
     application/x-cocoa                              cco;
     application/x-java-archive-diff                  jardiff;

src/core/nginx.h

@@ -9,8 +9,8 @@
 #define _NGINX_H_INCLUDED_
 
 
-#define nginx_version      1020000
-#define NGINX_VERSION      "1.20.0"
+#define nginx_version      1021000
+#define NGINX_VERSION      "1.21.0"
 #define NGINX_VER          "nginx/" NGINX_VERSION
 
 #ifdef NGX_BUILD

src/core/ngx_resolver.c

@@ -1798,6 +1798,12 @@ ngx_resolver_process_response(ngx_resolver_t *r, u_char *buf, size_t n,
     i = sizeof(ngx_resolver_hdr_t);
 
     while (i < (ngx_uint_t) n) {
+
+        if (buf[i] & 0xc0) {
+            err = "unexpected compression pointer in DNS response";
+            goto done;
+        }
+
         if (buf[i] == '\0') {
             goto found;
         }
@@ -3939,11 +3945,11 @@ ngx_resolver_copy(ngx_resolver_t *r, ngx_str_t *name, u_char *buf, u_char *src,
 {
     char        *err;
     u_char      *p, *dst;
-    ssize_t      len;
+    size_t       len;
     ngx_uint_t   i, n;
 
     p = src;
-    len = -1;
+    len = 0;
 
     /*
      * compression pointers allow to create endless loop, so we set limit;
@@ -3958,6 +3964,16 @@ ngx_resolver_copy(ngx_resolver_t *r, ngx_str_t *name, u_char *buf, u_char *src,
         }
 
         if (n & 0xc0) {
+            if ((n & 0xc0) != 0xc0) {
+                err = "invalid label type in DNS response";
+                goto invalid;
+            }
+
+            if (p >= last) {
+                err = "name is out of DNS response";
+                goto invalid;
+            }
+
             n = ((n & 0x3f) << 8) + *p;
             p = &buf[n];
 
@@ -3986,7 +4002,7 @@ ngx_resolver_copy(ngx_resolver_t *r, ngx_str_t *name, u_char *buf, u_char *src,
         return NGX_OK;
     }
 
-    if (len == -1) {
+    if (len == 0) {
         ngx_str_null(name);
         return NGX_OK;
     }
@@ -3998,30 +4014,23 @@ ngx_resolver_copy(ngx_resolver_t *r, ngx_str_t *name, u_char *buf, u_char *src,
 
     name->data = dst;
 
-    n = *src++;
-
     for ( ;; ) {
+        n = *src++;
+
+        if (n == 0) {
+            name->len = dst - name->data - 1;
+            return NGX_OK;
+        }
+
         if (n & 0xc0) {
             n = ((n & 0x3f) << 8) + *src;
             src = &buf[n];
 
-            n = *src++;
-
         } else {
             ngx_strlow(dst, src, n);
             dst += n;
             src += n;
-
-            n = *src++;
-
-            if (n != 0) {
-                *dst++ = '.';
-            }
-        }
-
-        if (n == 0) {
-            name->len = dst - name->data;
-            return NGX_OK;
+            *dst++ = '.';
         }
     }
 }

src/core/ngx_string.c

@@ -1573,7 +1573,7 @@ ngx_escape_uri(u_char *dst, u_char *src, size_t size, ngx_uint_t type)
         0xffffffff  /* 1111 1111 1111 1111  1111 1111 1111 1111 */
     };
 
-                    /* " ", """, "%", "'", %00-%1F, %7F-%FF */
+                    /* " ", """, "'", %00-%1F, %7F-%FF */
 
     static uint32_t   refresh[] = {
         0xffffffff, /* 1111 1111 1111 1111  1111 1111 1111 1111 */

src/http/modules/ngx_http_auth_basic_module.c

@@ -16,7 +16,7 @@
 
 typedef struct {
     ngx_http_complex_value_t  *realm;
-    ngx_http_complex_value_t   user_file;
+    ngx_http_complex_value_t  *user_file;
 } ngx_http_auth_basic_loc_conf_t;
 
 
@@ -107,7 +107,7 @@ ngx_http_auth_basic_handler(ngx_http_request_t *r)
 
     alcf = ngx_http_get_module_loc_conf(r, ngx_http_auth_basic_module);
 
-    if (alcf->realm == NULL || alcf->user_file.value.data == NULL) {
+    if (alcf->realm == NULL || alcf->user_file == NULL) {
         return NGX_DECLINED;
     }
 
@@ -133,7 +133,7 @@ ngx_http_auth_basic_handler(ngx_http_request_t *r)
         return NGX_HTTP_INTERNAL_SERVER_ERROR;
     }
 
-    if (ngx_http_complex_value(r, &alcf->user_file, &user_file) != NGX_OK) {
+    if (ngx_http_complex_value(r, alcf->user_file, &user_file) != NGX_OK) {
         return NGX_ERROR;
     }
 
@@ -357,6 +357,9 @@ ngx_http_auth_basic_create_loc_conf(ngx_conf_t *cf)
         return NULL;
     }
 
+    conf->realm = NGX_CONF_UNSET_PTR;
+    conf->user_file = NGX_CONF_UNSET_PTR;
+
     return conf;
 }
 
@@ -367,13 +370,8 @@ ngx_http_auth_basic_merge_loc_conf(ngx_conf_t *cf, void *parent, void *child)
     ngx_http_auth_basic_loc_conf_t  *prev = parent;
     ngx_http_auth_basic_loc_conf_t  *conf = child;
 
-    if (conf->realm == NULL) {
-        conf->realm = prev->realm;
-    }
-
-    if (conf->user_file.value.data == NULL) {
-        conf->user_file = prev->user_file;
-    }
+    ngx_conf_merge_ptr_value(conf->realm, prev->realm, NULL);
+    ngx_conf_merge_ptr_value(conf->user_file, prev->user_file, NULL);
 
     return NGX_CONF_OK;
 }
@@ -406,17 +404,22 @@ ngx_http_auth_basic_user_file(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
     ngx_str_t                         *value;
     ngx_http_compile_complex_value_t   ccv;
 
-    if (alcf->user_file.value.data) {
+    if (alcf->user_file != NGX_CONF_UNSET_PTR) {
         return "is duplicate";
     }
 
+    alcf->user_file = ngx_palloc(cf->pool, sizeof(ngx_http_complex_value_t));
+    if (alcf->user_file == NULL) {
+        return NGX_CONF_ERROR;
+    }
+
     value = cf->args->elts;
 
     ngx_memzero(&ccv, sizeof(ngx_http_compile_complex_value_t));
 
     ccv.cf = cf;
     ccv.value = &value[1];
-    ccv.complex_value = &alcf->user_file;
+    ccv.complex_value = alcf->user_file;
     ccv.zero = 1;
     ccv.conf_prefix = 1;
 

src/http/modules/ngx_http_dav_module.c

@@ -1072,14 +1072,37 @@ ngx_http_dav_error(ngx_log_t *log, ngx_err_t err, ngx_int_t not_found,
 static ngx_int_t
 ngx_http_dav_location(ngx_http_request_t *r)
 {
+    u_char     *p;
+    size_t      len;
+    uintptr_t   escape;
+
     r->headers_out.location = ngx_list_push(&r->headers_out.headers);
     if (r->headers_out.location == NULL) {
         return NGX_ERROR;
     }
 
     r->headers_out.location->hash = 1;
     ngx_str_set(&r->headers_out.location->key, "Location");
-    r->headers_out.location->value = r->uri;
+
+    escape = 2 * ngx_escape_uri(NULL, r->uri.data, r->uri.len, NGX_ESCAPE_URI);
+
+    if (escape) {
+        len = r->uri.len + escape;
+
+        p = ngx_pnalloc(r->pool, len);
+        if (p == NULL) {
+            ngx_http_clear_location(r);
+            return NGX_ERROR;
+        }
+
+        r->headers_out.location->value.len = len;
+        r->headers_out.location->value.data = p;
+
+        ngx_escape_uri(p, r->uri.data, r->uri.len, NGX_ESCAPE_URI);
+
+    } else {
+        r->headers_out.location->value = r->uri;
+    }
 
     return NGX_OK;
 }