Commit graph

4216 commits

Author SHA1 Message Date
discollizard
adf1d9362c
Merge 87668f6e58 into 42f8df65b6 2026-06-26 16:10:55 +08:00
Feng Wu
42f8df65b6 Add missing bounds check in ngx_{http,stream}_compile_complex_value()
Some checks failed
buildbot / buildbot (push) Has been cancelled
Complex value compilation scans strings for $1..$9 capture references.
Check that a byte after '$' is present before testing it, matching
ngx_str_t length semantics and avoiding reliance on NUL termination.

Apply the same check to both HTTP and stream implementations.
2026-06-25 09:15:44 -07:00
Feng Wu
2d71bdcf8b HTTP/2: fixed overlapping memcpy in CONTINUATION frames
Some checks are pending
buildbot / buildbot (push) Waiting to run
When processing CONTINUATION frames, ngx_http_v2_handle_continuation()
used ngx_memcpy() to shift header block fragment data past the frame
header.  If the fragment is larger than the frame header (9 bytes),
the source and destination regions overlap, which is undefined
behavior for memcpy.  The same function already uses ngx_memmove()
for another overlapping shift.
2026-06-24 17:57:50 +01:00
Sergey Kandaurov
319a0bff15 Charset: fixed another rare buffer overread in recode_from_utf8()
With prerequisites similar to 696a7f1b9, it was possible to gain 1-byte
overread on invalid UTF-8 sequences.  The reason is ngx_utf8_decode()
stops advancing the pointer position on the first encountered invalid
byte.  The fix is to adjust the advanced pointer up to the whole saved
sequence in this case.  Note that this may result in different output
compared to complete invalid UTF-8 sequences, which we can disregard
at this point.

Reported by Han Yan of Xiaomi and p4p3r of CYBERONE.
2026-06-17 07:40:35 -07:00
Roman Arutyunyan
26d824ec3a Upstream: limit header length for HTTP/2 and gRPC
The change applies the HTTP/2 header length limits to avoid buffer
overflow.  See 58a7bc3406 for details.

Reported by Mufeed VH of Winfunc Research.
2026-06-17 07:40:35 -07:00
Roman Arutyunyan
9e293766e7 HTTP/3: avoid recreation of standard client uni streams
Creating a control/encoder/decoder stream while another such stream
already exists, is not allowed.  Also, closing such a stream results
in connection closure with NGX_HTTP_V3_ERR_CLOSED_CRITICAL_STREAM.
However, since stream creation and connection closure are asynchronous,
there could be a window where two control/encoder/decoder streams
could coexist within a single cycle iteration.  This could result
in reusing parsing context, such as encoder insert buffer.

The change adds a mask for all standard client uni streams ever created.
This allows to check if a stream of this type was created before.
While here, mandatory stream validation now also uses this mask.
2026-06-17 07:40:35 -07:00
Roman Arutyunyan
ceccdbd2ee HTTP/3: allocate insert buffer from connection pool
Previously, it was allocated from the encoder stream pool.  This could
lead to use-after-free if the stream was closed and another encoder
stream was opened.

Reported by Trung Nguyen (@everping) of CyStack.
2026-06-17 07:40:35 -07:00
Roman Arutyunyan
875750a4f7 HTTP/3: use max table capacity for insert buffer allocation
Previously, current capacity was used for the allocation, which could
be insufficient if table capacity was later increased.
2026-06-17 07:40:35 -07:00
Nitin Swami
e09c0d32d5 Access log: fix "request_length" format length
The variable handler uses "%O" format specifier.

Reported by Mufeed VH of Winfunc Research.
2026-06-11 09:12:57 +05:30
Sergey Kandaurov
bedf18f95d Secure link: compare hashes in constant time
Some checks are pending
buildbot / buildbot (push) Waiting to run
Reported by kodareef5
2026-06-11 01:40:19 +05:30
Sergey Kandaurov
b23fdb91ee Secure link: style 2026-06-11 01:40:19 +05:30
Sergey Kandaurov
455fbf8c45 Style 2026-06-10 22:21:10 +04:00
Sergey Kandaurov
d994f5b822 Split clients: improved calculation of range boundaries
Some checks failed
buildbot / buildbot (push) Has been cancelled
If the last variant was given an explicit percentage to reach 100%, it
did not cover hash values on the range boundary or due to accumulating
rounding error.  Now this corresponds to the configuration with "*".
2026-06-09 19:04:17 +04:00
Boris Tonofa
ac4bedfafe Xslt: fix handling of vsnprintf() return value 2026-06-08 14:29:08 +04:00
Vadim Zhestikov
1c387799ca SSL: add $ssl_sigalgs variable
Some checks failed
buildbot / buildbot (push) Has been cancelled
The new $ssl_sigalgs variable lists all signature algorithms
advertised by the client in its ClientHello message,
colon-separated, in analogy to $ssl_ciphers and $ssl_curves.

On OpenSSL 4.0+, SSL_get0_sigalg() is used, which returns proper
TLS scheme names (e.g. "rsa_pkcs1_sha256", "ecdsa_secp256r1_sha256")
and falls back to "0xHHHH" hex for unknown schemes.

On OpenSSL 1.0.2+, SSL_get_sigalgs() is used.  Since OBJ_nid2sn()
on the combined psignhash NID is not injective across TLS
SignatureScheme codes (e.g. 0x0403 and 0x081a both yield
"ecdsa-with-SHA256"), raw SignatureScheme codes are reported to
avoid ambiguity and to match the hex fallback format of
SSL_get0_sigalg().

With older versions, as well as BoringSSL, LibreSSL, and AWS-LC,
the variable is empty.
2026-06-04 09:50:50 -07:00
Eugene Grebenschikov
c5f2afd50e Switched $request_id to SipHash-based generation
Some checks failed
buildbot / buildbot (push) Has been cancelled
Replaced RAND_bytes() and random() based $request_id
generation with SipHash-2-4.  The previous implementation
used RAND_bytes() when built with OpenSSL, which is
50-100x slower than needed for a non-security identifier,
and fell back to random() which produces poor 128-bit
random numbers.

The new implementation calls SipHash twice with a secret
key and a monotonic counter, producing 128 bits with good
statistical distribution at a fraction of the cost.
2026-06-02 15:30:30 -07:00
Roman Arutyunyan
ca4f92a274 Rewrite: fix buffer overflow with overlapping captures
When the rewrite replacement string had no variables, but had
overlapping captures, the length of the allocated buffer could be
smaller than the replacement string.  This could happen either
when the "redirect" parameter is specified, or when arguments are
present in the replacement string.

The following configurations resulted in heap buffer overflow when
using URI "/++++++++++++++++++++++++++++++":

    location / {
        rewrite ^/((.*))$ http://127.0.0.1:8080/$1$2 redirect;
        return 200 foo;
    }

    location / {
        rewrite ^/((.*))$ http://127.0.0.1:8080/?$1$2;
        return 200 foo;
    }

Reported by Mufeed VH of Winfunc Research.
2026-05-22 18:55:09 +04:00
Roman Arutyunyan
475732a3f9 Rewrite: harden escape flags control
Some checks are pending
buildbot / buildbot (push) Waiting to run
Following 2046b45aa0, this change introduces better control of memory
allocation flags for escaped values.  Notably:

- The e->is_args flag is now explicitly reset on rewrite start.
  If the flag was set prior to rewrite start, then buffer overflow
  could happen before 2046b45aa0.

- The le->is_args flag value is now copied from e->is_args when
  calculating complex value length for "if" and "set" directives.
  If e->is_args was set, but le->is_args was not, then buffer overflow
  could happen before 2046b45aa0.
2026-05-21 18:00:00 +04:00
Roman Arutyunyan
58a7bc3406 HTTP/2: limit Content-Type and Location response header length
Previously, when these fields were larger than ~2M, the number of bytes
allocated for the field length was insufficient for such a large number.
The deficit is 1 byte up until ~4M, 2 bytes for sizes above, and grows
bigger with even larger fields.

Currently, nginx does not have modules which allow to exploit this
overflow with reasonably large Content-Type and Location.  The reason is
other response fields make up for this deficit.  For example, the Date
header value contains the characters compressed well by Huffman
encoding, which frees up spare bytes in the header buffer.

Reported by Leo Lin.
2026-05-15 16:23:39 +04:00
Roman Arutyunyan
18a70a4d58 Mp4: avoid adding or comparing to null pointer
It is considered undefined behavior.

Reported by Geonwoo.kim (awo@kakao.com).
2026-05-15 16:20:30 +04:00
Roman Arutyunyan
c24fb259d1 Proxy: fix large body with proxy_set_body and HTTP/2
Previously, if proxy_set_body was used with HTTP/2, and body size exceeded
16M, then an overflow happened in the 24-bit DATA frame size, which resulted
in sending unframed bytes, potentially allowing for an injection.

Also, DATA frame size could exceed NGX_HTTP_V2_DEFAULT_FRAME_SIZE (16K) and
available send window.

Reported by Mufeed VH of Winfunc Research.
2026-05-13 21:19:47 +04:00
Roman Arutyunyan
2046b45aa0 Rewrite: fixed escaping and possible buffer overrun
The following code resulted in incorrect escaping of $1 and possible
segfault:

    location / {
        rewrite ^(.*) /new?c=1;
        set $myvar $1;
        return 200 $myvar;
    }

If there were arguments in a rewrite's replacement string, the is_args flag
was set and incorrectly never cleared.  This resulted in escaping applied
to any captures evaluated afterwards in set or if.  Additionally buffer was
allocated by ngx_http_script_complex_value_code() without escaping expected,
thus this also resulted in buffer overrun and possible segfault.

A similar issue was fixed in 74d939974d.

Reported by Leo Lin.
2026-05-13 21:19:47 +04:00
Sergey Kandaurov
5f86648ef8 Upstream: fixed parsing of split status lines
If the first response line was split across reads and it didn't appear
a status line, the portion already processed was lost.  The change
introduces a new field for proper backtracking on status line fallback.
2026-05-13 21:19:47 +04:00
Sergey Kandaurov
f79c286b34 Upstream: reset parsing state after invalid status line
Previously, it was possible to start parsing headers with a wrong
parsing state after status line was not recognized, as a fallback
used in the scgi and uwsgi modules.

Reported by Leo Lin.
2026-05-13 21:19:47 +04:00
David Carlier
696a7f1b91 Charset: fix buffer over-read in recode_from_utf8().
When a multi-byte UTF-8 character was split across 3+ single-byte
buffers, the saved bytes continuation path had two related bugs:

ngx_utf8_decode() was called with the last saved-array index instead
of the byte count, causing it to report "incomplete" even when the
sequence was already complete.

The subsequent ngx_memcpy() used that same index as the copy length,
reading past the input buffer boundary.
2026-05-13 21:19:47 +04:00
Sergey Kandaurov
a43c76b4e3 Reject HTTP CONNECT method with no port after colon
Some checks failed
buildbot / buildbot (push) Has been cancelled
2026-05-11 19:40:47 +04:00
Roman Arutyunyan
631bfa194d Support 407 code in "satisfy any" and "auth_delay"
Notably, "auth_delay" now delays the response for both 401 and 407.
Also, in the "satisfy any" mode, the next access/auth attempt is made
for 401, 403 and 407.
2026-05-08 09:42:58 +04:00
Roman Arutyunyan
4e9289e51a Proxy authentication for CONNECT requests
Notably, ngx_http_auth_basic_module uses Proxy-Authorization input
header, Proxy-Authenticate output header and HTTP code 407 instead
of Authorization, WWW-Authenticate and 401 respectively.
2026-05-08 09:42:58 +04:00
Roman Arutyunyan
8599df49d6 HTTP tunnel module
The module handles CONNECT requests and establishes a tunnel to a
backend.

Example config:

http {

    map $request_port $allow_port {
        80             1;
        443            1;
    }

    map $host $allow_host {
        hostnames;

        example.com    1;
        *.example.org  1;
    }

    server {
        listen 8000;

        resolver dns.example.com;

        if ($allow_port != 1) {
            return 403;
        }

        if ($allow_host != 1) {
            return 403;
        }

        tunnel_pass;
    }
}

Request:

    $ curl -x 127.0.0.1:8000 https://example.com
2026-05-08 09:42:58 +04:00
Roman Arutyunyan
1a2adac356 Proxy: fix keepalive for HTTP/2 with explicit or no body
Previously, when an HTTP/2 request had no body or an explicit body
was set by proxy_set_body, the request consisted of only one buffer,
which had no b->last_buf flag set.  This prevented ctx->output_closed
from being set after processing this buffer.  Consequently,
u->keepalive might not be set to store the connection in the
keepalive cache.
2026-05-07 13:18:39 +04:00
Sai Krishna Kumar Reddy Yadamakanti
f0a084645b Dav: improved path validation for COPY and MOVE operations
The COPY and MOVE handler did not validate whether source and
destination paths referred to the same resource or a parent-child
collection relationship, which could corrupt or destroy files.

Now 403 is returned if paths match or one is a prefix of the other.

Reported by Mufeed VH of Winfunc Research.
2026-05-06 19:35:17 +05:30
Vladimir Homutov
5760d6148e Upstream: least_time balancer module
The module implements load-balancing algorithm based on least average
response header/last_byte time and least number of active connections.

The optional "inflight" mode enables accounting of incomplete
requests/sessions.  This allows to mitigate cases when an upstream
server hangs and does not close connections.

Example configuration:

upstream u {
    least_time header | last_byte [inflight];
    server a;
    server b;
}

Co-authored-by: Roman Arutyunyan <arut@nginx.com>
2026-05-04 21:19:40 +05:30
Vladimir Homutov
45554176ca Upstream: locked version of ngx_*_upstream_free_round_robin_peer().
This allows optimizing ngx_http_upstream_free_least_time_peer() by
not releasing and re-taking the same lock.
2026-05-04 21:19:40 +05:30
Sergey Kandaurov
6eb7dcdd98 Request body: restored buffered empty body special case
This restores a long-standing optimization when the entire request
body is empty and r->request_body_in_file_only is set, used to avoid
writing an empty file as initially introduced in 4c7f51136 (0.4.4).
The previous condition never worked with chunked body filter, where
rb->bufs holds at least the final chunk; in length body filter, it is
used to indicate the last received buffer since 2a7092138 (1.21.2).

The fix is to additionally check if it is the only empty buffer.

Found with UndefinedBehaviorSanitizer (pointer-overflow)
2026-04-30 15:09:24 +04:00
Roman Arutyunyan
d7dd7e9ae4 HTTP/3: optimize encoder stream memory usage
Previously, the encoder stream allocated each new inserted field in the
connection pool.  This memory was not freed until the end of the connection.
Now a special insert buffer is used for all inserts.
2026-04-16 19:47:46 +04:00
Roman Arutyunyan
4e89ce224f Restrict duplicate TE headers in HTTP/2 and HTTP/3
Following d3a76322cf, this change rejects requests which have multiple
TE headers.

Reported-by: geeknik <geeknik@protonmail.ch>
2026-04-16 19:47:03 +04:00
Roman Arutyunyan
d3a76322cf Restrict connection-specific headers in HTTP/2 and HTTP/3
As per RFC 9113 and RFC 9114, any message containing such headers MUST be
treated as malformed.

As per RFC 9110, Section 7.6.1, the following headers are considered
connection-specific:

- Connection
- Proxy-Connection
- Keep-Alive
- TE
- Transfer-Encoding
- Upgrade

The only exception is the TE header field, which MAY be present in a
request header, but it MUST NOT contain any value other than "trailers".
2026-04-14 09:53:13 +04:00
Roman Arutyunyan
00979ba9d8 Remove Proxy-Connection HTTP upstream header
As per RFC 9110, this header SHOULD be removed by a proxy.

Also, as per RFC 9113, this header MUST be removed when proxying to an
HTTP/2 backend.
2026-04-14 09:53:13 +04:00
David Carlier
1709bffe6e Upstream: reset early_hints_length on upstream reinit.
When a request was retried to a new upstream after receiving 103
Early Hints from the previous one, the accumulated early_hints_length
was not reset, causing valid early hints from the next upstream to be
incorrectly rejected as "too big".
2026-04-06 20:59:00 +04:00
Zoey
067d766f21 Fix $request_port and $is_request_port in subrequests
Closes #1247.
2026-04-06 14:53:54 +04:00
Maxim Dounin
365694160a Added max_headers directive.
The directive limits the number of request headers accepted from clients.
While the total amount of headers is believed to be sufficiently limited
by the existing buffer size limits (client_header_buffer_size and
large_client_header_buffers), the additional limit on the number of headers
might be beneficial to better protect backend servers.

Requested by Maksim Yevmenkin.

Signed-off-by: Elijah Zupancic <e.zupancic@f5.com>
Origin: <https://freenginx.org/hg/nginx/rev/199dc0d6b05be814b5c811876c20af58cd361fea>
2026-04-06 14:08:36 +04:00
David Korczynski
06c30ec29d Upstream: fix integer underflow in charset parsing
The issue described below was only reproducible prior to
7924a4ec6c

When parsing the `charset` parameter in the `Content-Type` header within
`ngx_http_upstream_copy_content_type`, an input such as `charset="`
resulted in an integer underflow.

In this scenario, both `p` and `last` point to the position immediately
following the opening quote. The logic to strip a trailing quote checked
`*(last - 1)` without verifying that `last > p`. This caused `last` to
be decremented to point to the opening quote itself, making `last < p`.

The subsequent length calculation `r->headers_out.charset.len = last - p`
resulted in -1, which wrapped to `SIZE_MAX` as `len` is a `size_t`. This
invalid length was later passed to `ngx_cpymem` in `ngx_http_header_filter`,
leading to an out-of-bounds memory access (detected as
`negative-size-param` by AddressSanitizer).

The fix ensures `last > p` before attempting to strip a trailing quote,
correctly resulting in a zero-length charset for malformed input.

The oss-fuzz payload that triggers this issue holds multiple 103 status
lines, and it's a sequence of 2 of those Content-Type headers that
trigger the ASAN report.

Co-authored-by: CodeMender <codemender-patching@google.com>
Fixes: https://issues.oss-fuzz.com/issues/486561029

Signed-off-by: David Korczynski <david@adalogics.com>
2026-04-06 14:07:18 +04:00
Sergey Kandaurov
7924a4ec6c Upstream: fixed processing multiple 103 (early hints) responses.
The second 103 response in a row was treated as the final response header.
2026-04-02 20:54:32 +04:00
Eugene Grebenschikov
0de6e878ba Fixed the "include" directive inside the "geo" block.
The "include" directive should be able to include multiple files if
given a filename mask.

Completes remaining changes introduced in da4ffd8.

Closes: https://github.com/nginx/nginx/issues/1165
2026-03-24 11:20:16 -07:00
Roman Arutyunyan
9739e755b8 Dav: destination length validation for COPY and MOVE.
Previously, when alias was used in a location with Dav COPY or MOVE
enabled, and the destination URI was shorter than the alias, integer
underflow could happen in ngx_http_map_uri_to_path(), which could
result in heap buffer overwrite, followed by a possible segfault.
With some implementations of memcpy(), the segfault could be avoided
and the overwrite could result in a change of the source or destination
file names to be outside of the location root.

Reported by Calif.io in collaboration with Claude and Anthropic Research.
2026-03-24 18:45:25 +04:00
Roman Arutyunyan
3568812cf9 Mp4: fixed possible integer overflow on 32-bit platforms.
Previously, a 32-bit overflow could happen while validating atom entries
count.  This allowed processing of an invalid atom with entrires beyond
its boundaries with reads and writes outside of the allocated mp4 buffer.

Reported by Prabhav Srinath (sprabhav7).
2026-03-24 18:44:57 +04:00
Roman Arutyunyan
7725c372c2 Mp4: avoid zero size buffers in output.
Previously, data validation checks did not cover the cases when the output
contained empty buffers.  Such buffers are considered illegal and produce
"zero size buf in output" alerts.  The change rejects the mp4 files which
produce such alerts.

Also, the change fixes possible buffer overread and overwrite that could
happen while processing empty stco and co64 atoms, as reported by
Pavel Kohout (Aisle Research) and Tim Becker.
2026-03-24 18:12:29 +04:00
Roman Arutyunyan
d787755d50 Upstream keepalive: fixed parameter parsing. 2026-03-24 15:38:16 +04:00
Roman Semenov
6bb27a6312 Proxy: enabled HTTP/1.1 by default for upstream connections.
Updates the proxy module to use HTTP/1.1 as the default protocol when
communicating with upstream servers. This change unlocks features
such as persistent connections and chunked transfer encoding. Configurations
that require HTTP/1.0 can still override the protocol explicitly.
2026-03-24 14:28:52 +04:00
Roman Semenov
4fbe4b6274 Upstream: enabled keepalive by default for explicit upstreams.
Keepalive is now automatically enabled in the "local" mode for upstreams
defined in configuration files. Cached keepalive connections are no longer
shared between different locations referencing the same explicit upstream
unless keepalive is explicitly configured without the "local" parameter.

To disable keepalive entirely, use keepalive 0; inside the upstream block.
To allow sharing cached connections between locations, configure
keepalive <max_cached>; without the "local" parameter.
2026-03-24 14:28:52 +04:00