From mdounin at mdounin.ru Thu Jul 2 09:41:52 2026 From: mdounin at mdounin.ru (=?utf-8?q?Maxim_Dounin?=) Date: Thu, 02 Jul 2026 12:41:52 +0300 Subject: [PATCH] Perl: request object validation Message-ID: <9a7e15e971f8759e1771.1782985312@vm-bsd.mdounin.ru> # HG changeset patch # User Maxim Dounin # Date 1782985214 -10800 # Thu Jul 02 12:40:14 2026 +0300 # Node ID 9a7e15e971f8759e177123da2d3217f1a5f621d5 # Parent 3072e5ce18a55cae5d1389d1b396cc62c2e053ab Perl: request object validation. Previously, using stale request objects resulted in accesses to already freed memory, causing segmentation faults: location /stale { perl 'sub { my $r = shift; $prev->log_error(0, "next request arrived") if $prev; $prev = $r; $r->send_http_header; return OK; }'; } Similarly, incorrectly blessed objects might cause segmentation faults, such as in the following configuration: location /bless { perl 'sub { my $v = 10; my $r = bless \$v, "nginx"; $r->send_http_header; return OK; }'; } With this change, active request object is recorded in the ngx_http_perl_call_handler() function, and checked by ngx_http_perl_set_request() to prevent use of unexpected request objects. Reported by Axel Mierczuk, Keith Hoodlet, 1Password?s Off-by-1 Labs. diff --git a/src/http/modules/perl/nginx.xs b/src/http/modules/perl/nginx.xs --- a/src/http/modules/perl/nginx.xs +++ b/src/http/modules/perl/nginx.xs @@ -18,6 +18,9 @@ #define ngx_http_perl_set_request(r, ctx) \ \ ctx = INT2PTR(ngx_http_perl_ctx_t *, SvIV((SV *) SvRV(ST(0)))); \ + if (ctx != ngx_http_perl_active_context || ctx == NULL) { \ + croak("invalid request object"); \ + } \ r = ctx->request diff --git a/src/http/modules/perl/ngx_http_perl_module.c b/src/http/modules/perl/ngx_http_perl_module.c --- a/src/http/modules/perl/ngx_http_perl_module.c +++ b/src/http/modules/perl/ngx_http_perl_module.c @@ -148,6 +148,9 @@ static ngx_http_ssi_command_t ngx_http_ #endif +ngx_http_perl_ctx_t *ngx_http_perl_active_context; + + static ngx_str_t ngx_null_name = ngx_null_string; static HV *nginx_stash; @@ -746,6 +749,8 @@ ngx_http_perl_call_handler(pTHX_ ngx_htt PUSHMARK(sp); + ngx_http_perl_active_context = ctx; + sv = sv_2mortal(sv_bless(newRV_noinc(newSViv(PTR2IV(ctx))), nginx)); XPUSHs(sv); @@ -790,6 +795,8 @@ ngx_http_perl_call_handler(pTHX_ ngx_htt FREETMPS; LEAVE; + ngx_http_perl_active_context = NULL; + if (ctx->error) { ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0, diff --git a/src/http/modules/perl/ngx_http_perl_module.h b/src/http/modules/perl/ngx_http_perl_module.h --- a/src/http/modules/perl/ngx_http_perl_module.h +++ b/src/http/modules/perl/ngx_http_perl_module.h @@ -59,6 +59,9 @@ typedef struct { extern ngx_module_t ngx_http_perl_module; +extern ngx_http_perl_ctx_t *ngx_http_perl_active_context; + + /* * workaround for "unused variable `Perl___notused'" warning * when building with perl 5.6.1 From mdounin at mdounin.ru Thu Jul 2 09:43:12 2026 From: mdounin at mdounin.ru (=?utf-8?q?Maxim_Dounin?=) Date: Thu, 02 Jul 2026 12:43:12 +0300 Subject: [PATCH] Tests: perl invalid request object tests In-Reply-To: <9a7e15e971f8759e1771.1782985312@vm-bsd.mdounin.ru> References: <9a7e15e971f8759e1771.1782985312@vm-bsd.mdounin.ru> Message-ID: <722b1568d101a870c324.1782985392@vm-bsd.mdounin.ru> # HG changeset patch # User Maxim Dounin # Date 1782985220 -10800 # Thu Jul 02 12:40:20 2026 +0300 # Node ID 722b1568d101a870c3242f04882be5aa293c2a19 # Parent d2f2ead62ad63ebe74cd21bf9c956625a9d7a70f Tests: perl invalid request object tests. diff --git a/perl_refcount.t b/perl_refcount.t --- a/perl_refcount.t +++ b/perl_refcount.t @@ -22,7 +22,7 @@ use Test::Nginx; select STDERR; $| = 1; select STDOUT; $| = 1; -my $t = Test::Nginx->new()->has(qw/http perl/)->plan(4) +my $t = Test::Nginx->new()->has(qw/http perl/)->plan(6) ->write_file_expand('nginx.conf', <<'EOF'); %%TEST_GLOBALS%% @@ -85,6 +85,27 @@ http { return OK; }'; } + + location /stale { + perl 'sub { + my $r = shift; + $prev->log_error(0, "next request arrived") if $prev; + $r->send_http_header; + $prev->print("print to stale request") if $prev; + $prev = $r; + return OK; + }'; + } + + location /bless { + perl 'sub { + my $v = 10; + my $r = bless \$v, "nginx"; + $r->send_http_header; + $r->print("it works"); + return OK; + }'; + } } } @@ -121,4 +142,24 @@ like(http_get('/redirect'), qr/works/, ' } +TODO: { +local $TODO = 'not yet' unless $t->has_version('1.31.3'); +todo_skip 'might coredump', 2 unless $t->has_version('1.31.3') + or $ENV{TEST_NGINX_UNSAFE}; + +# the $r request object might be preserved by the code, +# and usage of such invalid request objects needs to be prevented; +# note though that the stale request might happen to match the active one + +http_get('/stale'); +like(http_get('/stale'), qr/500 Internal|stale request/, + 'stale request object'); + +# similarly, if the request object is constructed with bless() +# with an incorrect pointer, it should be rejected + +like(http_get('/bless'), qr/500 Internal/, 'invalid request object'); + +} + ############################################################################### From mdounin at mdounin.ru Fri Jul 3 04:06:42 2026 From: mdounin at mdounin.ru (=?iso-8859-1?q?Maxim_Dounin?=) Date: Fri, 03 Jul 2026 07:06:42 +0300 Subject: [nginx] Upstream: fixed missing return in error handling. Message-ID: details: http://freenginx.org/hg/nginx/rev/3072e5ce18a5 branches: changeset: 9570:3072e5ce18a5 user: Maxim Dounin date: Sat Jun 27 01:35:52 2026 +0300 description: Upstream: fixed missing return in error handling. Missed in 9295:c5623963c29e (1.27.2), might cause segmentation faults on memory allocation errors with proxy_no_cache (or if script buffer overrun protections are triggered during evaluation of proxy_no_cache predicates, or on cache node allocation errors if proxy_cache_bypass is also used). Reported by Valentin Bartenev. diffstat: src/http/ngx_http_upstream.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) diffs (11 lines): diff --git a/src/http/ngx_http_upstream.c b/src/http/ngx_http_upstream.c --- a/src/http/ngx_http_upstream.c +++ b/src/http/ngx_http_upstream.c @@ -3236,6 +3236,7 @@ ngx_http_upstream_send_response(ngx_http if (ngx_http_upstream_no_cache(r, u) != NGX_OK) { ngx_http_upstream_finalize_request(r, u, NGX_ERROR); + return; } if (u->cacheable) { From mdounin at mdounin.ru Mon Jul 6 04:46:06 2026 From: mdounin at mdounin.ru (=?iso-8859-1?q?Maxim_Dounin?=) Date: Mon, 06 Jul 2026 07:46:06 +0300 Subject: [nginx] Perl: request object validation. Message-ID: details: http://freenginx.org/hg/nginx/rev/86a2685756ae branches: changeset: 9571:86a2685756ae user: Maxim Dounin date: Mon Jul 06 07:14:28 2026 +0300 description: Perl: request object validation. Previously, using stale request objects resulted in accesses to already freed memory, causing segmentation faults: location /stale { perl 'sub { my $r = shift; $prev->log_error(0, "next request arrived") if $prev; $prev = $r; $r->send_http_header; return OK; }'; } Similarly, incorrectly blessed objects might cause segmentation faults, such as in the following configuration: location /bless { perl 'sub { my $v = 10; my $r = bless \$v, "nginx"; $r->send_http_header; return OK; }'; } With this change, active request object is recorded in the ngx_http_perl_call_handler() function, and checked by ngx_http_perl_set_request() to prevent use of unexpected request objects. Reported by Axel Mierczuk, Keith Hoodlet, 1Password?s Off-by-1 Labs. diffstat: src/http/modules/perl/nginx.xs | 3 +++ src/http/modules/perl/ngx_http_perl_module.c | 7 +++++++ src/http/modules/perl/ngx_http_perl_module.h | 3 +++ 3 files changed, 13 insertions(+), 0 deletions(-) diffs (57 lines): diff --git a/src/http/modules/perl/nginx.xs b/src/http/modules/perl/nginx.xs --- a/src/http/modules/perl/nginx.xs +++ b/src/http/modules/perl/nginx.xs @@ -18,6 +18,9 @@ #define ngx_http_perl_set_request(r, ctx) \ \ ctx = INT2PTR(ngx_http_perl_ctx_t *, SvIV((SV *) SvRV(ST(0)))); \ + if (ctx != ngx_http_perl_active_context || ctx == NULL) { \ + croak("invalid request object"); \ + } \ r = ctx->request diff --git a/src/http/modules/perl/ngx_http_perl_module.c b/src/http/modules/perl/ngx_http_perl_module.c --- a/src/http/modules/perl/ngx_http_perl_module.c +++ b/src/http/modules/perl/ngx_http_perl_module.c @@ -148,6 +148,9 @@ static ngx_http_ssi_command_t ngx_http_ #endif +ngx_http_perl_ctx_t *ngx_http_perl_active_context; + + static ngx_str_t ngx_null_name = ngx_null_string; static HV *nginx_stash; @@ -746,6 +749,8 @@ ngx_http_perl_call_handler(pTHX_ ngx_htt PUSHMARK(sp); + ngx_http_perl_active_context = ctx; + sv = sv_2mortal(sv_bless(newRV_noinc(newSViv(PTR2IV(ctx))), nginx)); XPUSHs(sv); @@ -790,6 +795,8 @@ ngx_http_perl_call_handler(pTHX_ ngx_htt FREETMPS; LEAVE; + ngx_http_perl_active_context = NULL; + if (ctx->error) { ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0, diff --git a/src/http/modules/perl/ngx_http_perl_module.h b/src/http/modules/perl/ngx_http_perl_module.h --- a/src/http/modules/perl/ngx_http_perl_module.h +++ b/src/http/modules/perl/ngx_http_perl_module.h @@ -59,6 +59,9 @@ typedef struct { extern ngx_module_t ngx_http_perl_module; +extern ngx_http_perl_ctx_t *ngx_http_perl_active_context; + + /* * workaround for "unused variable `Perl___notused'" warning * when building with perl 5.6.1 From mdounin at mdounin.ru Mon Jul 6 04:46:27 2026 From: mdounin at mdounin.ru (=?iso-8859-1?q?Maxim_Dounin?=) Date: Mon, 06 Jul 2026 07:46:27 +0300 Subject: [nginx-tests] Tests: perl invalid request object tests. Message-ID: details: http://freenginx.org/hg/nginx-tests/rev/e35d7a7d58e2 branches: changeset: 2077:e35d7a7d58e2 user: Maxim Dounin date: Mon Jul 06 07:15:12 2026 +0300 description: Tests: perl invalid request object tests. diffstat: perl_refcount.t | 43 ++++++++++++++++++++++++++++++++++++++++++- 1 files changed, 42 insertions(+), 1 deletions(-) diffs (65 lines): diff --git a/perl_refcount.t b/perl_refcount.t --- a/perl_refcount.t +++ b/perl_refcount.t @@ -22,7 +22,7 @@ use Test::Nginx; select STDERR; $| = 1; select STDOUT; $| = 1; -my $t = Test::Nginx->new()->has(qw/http perl/)->plan(4) +my $t = Test::Nginx->new()->has(qw/http perl/)->plan(6) ->write_file_expand('nginx.conf', <<'EOF'); %%TEST_GLOBALS%% @@ -85,6 +85,27 @@ http { return OK; }'; } + + location /stale { + perl 'sub { + my $r = shift; + $prev->log_error(0, "next request arrived") if $prev; + $r->send_http_header; + $prev->print("print to stale request") if $prev; + $prev = $r; + return OK; + }'; + } + + location /bless { + perl 'sub { + my $v = 10; + my $r = bless \$v, "nginx"; + $r->send_http_header; + $r->print("it works"); + return OK; + }'; + } } } @@ -121,4 +142,24 @@ like(http_get('/redirect'), qr/works/, ' } +TODO: { +local $TODO = 'not yet' unless $t->has_version('1.31.3'); +todo_skip 'might coredump', 2 unless $t->has_version('1.31.3') + or $ENV{TEST_NGINX_UNSAFE}; + +# the $r request object might be preserved by the code, +# and usage of such invalid request objects needs to be prevented; +# note though that the stale request might happen to match the active one + +http_get('/stale'); +like(http_get('/stale'), qr/500 Internal|stale request/, + 'stale request object'); + +# similarly, if the request object is constructed with bless() +# with an incorrect pointer, it should be rejected + +like(http_get('/bless'), qr/500 Internal/, 'invalid request object'); + +} + ############################################################################### From mdounin at mdounin.ru Tue Jul 7 05:14:22 2026 From: mdounin at mdounin.ru (Maxim Dounin) Date: Tue, 7 Jul 2026 08:14:22 +0300 Subject: freenginx-1.31.3 changes draft Message-ID: Hello! Changes with freenginx 1.31.3 07 Jul 2026 *) Feature: additional checks are now used during variable substitution, including during execution of the ngx_http_rewrite_module directives, to prevent buffer overruns in case of errors in the code. *) Bugfix: if the "auth_request_set" directive or regular expression named captures were used to change prefix variables, such as "$http_...", corresponding variables became empty in other parts of the configuration. *) Bugfix: changing the $limit_rate and $args variables with the "auth_request_set" directive or regular expression named captures worked incorrectly. *) Bugfix: in error handling in the mail proxy module. Thanks to Evan Hellman, Trail of Bits. *) Bugfix: in error handling when using gzipping. Thanks to Evan Hellman, Trail of Bits. *) Bugfix: in HTTP/3. *) Bugfix: a segmentation fault might occur in a worker process when sending very long request header lines to a gRPC backend. Thanks to Evan Hellman, Trail of Bits. *) Bugfix: a segmentation fault might occur in a worker process if the ngx_http_charset_module was used to convert responses from UTF-8. *) Bugfix: in the ngx_http_perl_module. Thanks to Evan Hellman, Trail of Bits and Axel Mierczuk, Keith Hoodlet, 1Password's Off-by-1 Labs. *) Bugfix: in error handling when using the proxy_no_cache directive. Thanks to Valentin Bartenev. ????????? ? freenginx 1.31.3 07.07.2026 *) ??????????: ?????? ??? ??????????? ??????????, ? ??? ????? ??? ?????????? ???????? ?????? ngx_http_rewrite_module, ???????????? ?????????????? ????????, ??????????? ????????????? ????? ?? ??????? ?????? ? ?????? ?????-???? ?????? ? ????. *) ???????????: ??? ????????????? ????????? auth_request_set ??? ??????????? ????????? ? ?????????? ?????????? ??? ????????? ?????????? ??????????, ????? ??? "$http_...", ??????????????? ?????????? ??????????? ??????? ? ?????? ?????? ????????????. *) ??????????: ????????? ?????????? $limit_rate ? $args ? ??????? ????????? auth_request_set ??? ??????????? ????????? ? ?????????? ?????????? ???????? ???????????. *) ???????????: ? ????????? ?????? ? ???????? ??????-???????. ??????? Evan Hellman, Trail of Bits. *) ???????????: ? ????????? ?????? ??? ????????????? ??????. ??????? Evan Hellman, Trail of Bits. *) ???????????: ? HTTP/3. *) ???????????: ? ??????? ???????? ??? ????????? segmentation fault ??? ???????? ?? gRPC-?????? ????? ??????? ????? ????????? ???????. ??????? Evan Hellman, Trail of Bits. *) ???????????: ? ??????? ???????? ??? ????????? segmentation fault, ???? ?????? ngx_http_charset_module ????????????? ??? ??????????????? ??????? ?? UTF-8. *) ???????????: ? ?????? ngx_http_perl_module. ??????? Evan Hellman, Trail of Bits ? Axel Mierczuk, Keith Hoodlet, 1Password's Off-by-1 Labs. *) ???????????: ? ????????? ?????? ??? ????????????? ????????? proxy_no_cache. ??????? Valentin Bartenev. -- Maxim Dounin http://mdounin.ru/ From osa at freebsd.org.ru Tue Jul 7 13:03:40 2026 From: osa at freebsd.org.ru (Sergey A. Osokin) Date: Tue, 7 Jul 2026 16:03:40 +0300 Subject: freenginx-1.31.3 changes draft In-Reply-To: References: Message-ID: On Tue, Jul 07, 2026 at 08:14:22AM +0300, Maxim Dounin wrote: > Hello! [...] > *) ??????????: ????????? ?????????? $limit_rate ? $args ? ??????? ????????: "??????????" -> "???????????". -- Sergey A. Osokin From mdounin at mdounin.ru Tue Jul 7 15:00:14 2026 From: mdounin at mdounin.ru (Maxim Dounin) Date: Tue, 7 Jul 2026 18:00:14 +0300 Subject: freenginx-1.31.3 changes draft In-Reply-To: References: Message-ID: Hello! On Tue, Jul 07, 2026 at 04:03:40PM +0300, Sergey A. Osokin wrote: > On Tue, Jul 07, 2026 at 08:14:22AM +0300, Maxim Dounin wrote: > > Hello! > > [...] > > > *) ??????????: ????????? ?????????? $limit_rate ? $args ? ??????? > > ????????: "??????????" -> "???????????". Hmm, this is a generated text prefix (from "type="bugfix"" in changex.xml), so it must be a cut-n-paste issue. Haven't seen such issues before, but it looks like a common problem on macOS due to a small tty buffer size, only 1024 bytes: https://github.com/kovidgoyal/kitty/issues/5869 https://superuser.com/questions/219225/command-limits-when-pasting-into-tcsh-mac-os-x/219304#219304 https://github.com/apple-oss-distributions/xnu/blob/xnu-12377.121.6/bsd/kern/tty.c#L552 https://github.com/apple-oss-distributions/xnu/blob/xnu-12377.121.6/bsd/sys/syslimits.h#L98 -- Maxim Dounin http://mdounin.ru/ From mdounin at mdounin.ru Tue Jul 7 15:06:43 2026 From: mdounin at mdounin.ru (=?iso-8859-1?q?Maxim_Dounin?=) Date: Tue, 07 Jul 2026 18:06:43 +0300 Subject: [nginx] Updated OpenSSL used for win32 builds. Message-ID: details: http://freenginx.org/hg/nginx/rev/1302742bda64 branches: changeset: 9572:1302742bda64 user: Maxim Dounin date: Tue Jul 07 08:15:42 2026 +0300 description: Updated OpenSSL used for win32 builds. diffstat: misc/GNUmakefile | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diffs (12 lines): diff --git a/misc/GNUmakefile b/misc/GNUmakefile --- a/misc/GNUmakefile +++ b/misc/GNUmakefile @@ -6,7 +6,7 @@ TEMP = tmp CC = cl OBJS = objs.msvc8 -OPENSSL = openssl-3.5.6 +OPENSSL = openssl-3.5.7 ZLIB = zlib-1.3.2 PCRE = pcre2-10.47 From mdounin at mdounin.ru Tue Jul 7 15:06:44 2026 From: mdounin at mdounin.ru (=?iso-8859-1?q?Maxim_Dounin?=) Date: Tue, 07 Jul 2026 18:06:44 +0300 Subject: [nginx] freenginx-1.31.3-RELEASE Message-ID: details: http://freenginx.org/hg/nginx/rev/47e34b225e5f branches: changeset: 9573:47e34b225e5f user: Maxim Dounin date: Tue Jul 07 18:03:30 2026 +0300 description: freenginx-1.31.3-RELEASE diffstat: docs/xml/nginx/changes.xml | 132 +++++++++++++++++++++++++++++++++++++++++++++ 1 files changed, 132 insertions(+), 0 deletions(-) diffs (142 lines): diff --git a/docs/xml/nginx/changes.xml b/docs/xml/nginx/changes.xml --- a/docs/xml/nginx/changes.xml +++ b/docs/xml/nginx/changes.xml @@ -7,6 +7,138 @@
+ + + + +?????? ??? ??????????? ??????????, +? ??? ????? ??? ?????????? ???????? ?????? ngx_http_rewrite_module, +???????????? ?????????????? ????????, +??????????? ????????????? ????? ?? ??????? ?????? +? ?????? ?????-???? ?????? ? ????. + + +additional checks are now used during variable substitution, +including during execution of the ngx_http_rewrite_module directives, +to prevent buffer overruns +in case of errors in the code. + + + + + +??? ????????????? ????????? auth_request_set +??? ??????????? ????????? ? ?????????? ?????????? +??? ????????? ?????????? ??????????, ????? ??? "$http_...", +??????????????? ?????????? ??????????? ??????? ? ?????? ?????? ????????????. + + +if the "auth_request_set" directive +or regular expression named captures +were used to change prefix variables, such as "$http_...", +corresponding variables became empty in other parts of the configuration. + + + + + +????????? ?????????? $limit_rate ? $args +? ??????? ????????? auth_request_set +??? ??????????? ????????? ? ?????????? ?????????? +???????? ???????????. + + +changing the $limit_rate and $args variables +with the "auth_request_set" directive +or regular expression named captures +worked incorrectly. + + + + + +? ????????? ?????? ? ???????? ??????-???????.
+??????? Evan Hellman, Trail of Bits. +
+ +in error handling in the mail proxy module.
+Thanks to Evan Hellman, Trail of Bits. +
+
+ + + +? ????????? ?????? ??? ????????????? ??????.
+??????? Evan Hellman, Trail of Bits. +
+ +in error handling when using gzipping.
+Thanks to Evan Hellman, Trail of Bits. +
+
+ + + +? HTTP/3. + + +in HTTP/3. + + + + + +? ??????? ???????? ??? ????????? segmentation fault +??? ???????? ?? gRPC-?????? ????? ??????? ????? ????????? ???????.
+??????? Evan Hellman, Trail of Bits. +
+ +a segmentation fault might occur in a worker process +when sending very long request header lines to a gRPC backend.
+Thanks to Evan Hellman, Trail of Bits. +
+
+ + + +? ??????? ???????? ??? ????????? segmentation fault, +???? ?????? ngx_http_charset_module ????????????? +??? ??????????????? ??????? ?? UTF-8. + + +a segmentation fault might occur in a worker process +if the ngx_http_charset_module was used +to convert responses from UTF-8. + + + + + +? ?????? ngx_http_perl_module.
+??????? Evan Hellman, Trail of Bits +? Axel Mierczuk, Keith Hoodlet, 1Password's Off-by-1 Labs. +
+ +in the ngx_http_perl_module.
+Thanks to Evan Hellman, Trail of Bits +and Axel Mierczuk, Keith Hoodlet, 1Password's Off-by-1 Labs. +
+
+ + + +? ????????? ?????? ??? ????????????? ????????? proxy_no_cache.
+??????? Valentin Bartenev. +
+ +in error handling when using the proxy_no_cache directive.
+Thanks to Valentin Bartenev. +
+
+ +
+ + From mdounin at mdounin.ru Tue Jul 7 15:06:44 2026 From: mdounin at mdounin.ru (=?iso-8859-1?q?Maxim_Dounin?=) Date: Tue, 07 Jul 2026 18:06:44 +0300 Subject: [nginx] release-1.31.3 tag Message-ID: details: http://freenginx.org/hg/nginx/rev/3c6a73c0e927 branches: changeset: 9574:3c6a73c0e927 user: Maxim Dounin date: Tue Jul 07 18:03:31 2026 +0300 description: release-1.31.3 tag diffstat: .hgtags | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) diffs (8 lines): diff --git a/.hgtags b/.hgtags --- a/.hgtags +++ b/.hgtags @@ -496,3 +496,4 @@ cac0fa5721386abbec57dcc2bb317f2531456e19 b1585cfeee5759a1ae3794b5c9c4c541c3c73a35 release-1.31.0 0417363a549372cf4b20c611c6f14944b177e86c release-1.31.1 e3c5f3106d3837629514c0f5cb9aac189c07e432 release-1.31.2 +47e34b225e5f13ceacadba8a37e27ce9a299b2fb release-1.31.3 From mdounin at mdounin.ru Tue Jul 7 15:10:03 2026 From: mdounin at mdounin.ru (=?iso-8859-1?q?Maxim_Dounin?=) Date: Tue, 07 Jul 2026 18:10:03 +0300 Subject: [nginx-site] freenginx-1.31.3 Message-ID: details: http://freenginx.org/hg/nginx-site/rev/7adcd2f1a240 branches: changeset: 3137:7adcd2f1a240 user: Maxim Dounin date: Tue Jul 07 18:08:32 2026 +0300 description: freenginx-1.31.3 diffstat: text/en/CHANGES | 38 ++++++++++++++++++++++++++++++++++++++ text/ru/CHANGES.ru | 41 +++++++++++++++++++++++++++++++++++++++++ xml/index.xml | 7 +++++++ xml/versions.xml | 1 + 4 files changed, 87 insertions(+), 0 deletions(-) diffs (123 lines): diff --git a/text/en/CHANGES b/text/en/CHANGES --- a/text/en/CHANGES +++ b/text/en/CHANGES @@ -1,4 +1,42 @@ +Changes with freenginx 1.31.3 07 Jul 2026 + + *) Feature: additional checks are now used during variable substitution, + including during execution of the ngx_http_rewrite_module directives, + to prevent buffer overruns in case of errors in the code. + + *) Bugfix: if the "auth_request_set" directive or regular expression + named captures were used to change prefix variables, such as + "$http_...", corresponding variables became empty in other parts of + the configuration. + + *) Bugfix: changing the $limit_rate and $args variables with the + "auth_request_set" directive or regular expression named captures + worked incorrectly. + + *) Bugfix: in error handling in the mail proxy module. + Thanks to Evan Hellman, Trail of Bits. + + *) Bugfix: in error handling when using gzipping. + Thanks to Evan Hellman, Trail of Bits. + + *) Bugfix: in HTTP/3. + + *) Bugfix: a segmentation fault might occur in a worker process when + sending very long request header lines to a gRPC backend. + Thanks to Evan Hellman, Trail of Bits. + + *) Bugfix: a segmentation fault might occur in a worker process if the + ngx_http_charset_module was used to convert responses from UTF-8. + + *) Bugfix: in the ngx_http_perl_module. + Thanks to Evan Hellman, Trail of Bits and Axel Mierczuk, Keith + Hoodlet, 1Password's Off-by-1 Labs. + + *) Bugfix: in error handling when using the proxy_no_cache directive. + Thanks to Valentin Bartenev. + + Changes with freenginx 1.31.2 26 May 2026 *) Bugfix: a segmentation fault might occur in a worker process if diff --git a/text/ru/CHANGES.ru b/text/ru/CHANGES.ru --- a/text/ru/CHANGES.ru +++ b/text/ru/CHANGES.ru @@ -1,4 +1,45 @@ +????????? ? freenginx 1.31.3 07.07.2026 + + *) ??????????: ?????? ??? ??????????? ??????????, ? ??? ????? ??? + ?????????? ???????? ?????? ngx_http_rewrite_module, ???????????? + ?????????????? ????????, ??????????? ????????????? ????? ?? ??????? + ?????? ? ?????? ?????-???? ?????? ? ????. + + *) ???????????: ??? ????????????? ????????? auth_request_set ??? + ??????????? ????????? ? ?????????? ?????????? ??? ????????? + ?????????? ??????????, ????? ??? "$http_...", ??????????????? + ?????????? ??????????? ??????? ? ?????? ?????? ????????????. + + *) ???????????: ????????? ?????????? $limit_rate ? $args ? ??????? + ????????? auth_request_set ??? ??????????? ????????? ? ?????????? + ?????????? ???????? ???????????. + + *) ???????????: ? ????????? ?????? ? ???????? ??????-???????. + ??????? Evan Hellman, Trail of Bits. + + *) ???????????: ? ????????? ?????? ??? ????????????? ??????. + ??????? Evan Hellman, Trail of Bits. + + *) ???????????: ? HTTP/3. + + *) ???????????: ? ??????? ???????? ??? ????????? segmentation fault ??? + ???????? ?? gRPC-?????? ????? ??????? ????? ????????? ???????. + ??????? Evan Hellman, Trail of Bits. + + *) ???????????: ? ??????? ???????? ??? ????????? segmentation fault, + ???? ?????? ngx_http_charset_module ????????????? ??? ??????????????? + ??????? ?? UTF-8. + + *) ???????????: ? ?????? ngx_http_perl_module. + ??????? Evan Hellman, Trail of Bits ? Axel Mierczuk, Keith Hoodlet, + 1Password's Off-by-1 Labs. + + *) ???????????: ? ????????? ?????? ??? ????????????? ????????? + proxy_no_cache. + ??????? Valentin Bartenev. + + ????????? ? freenginx 1.31.2 26.05.2026 *) ???????????: ? ??????? ???????? ??? ????????? segmentation fault, diff --git a/xml/index.xml b/xml/index.xml --- a/xml/index.xml +++ b/xml/index.xml @@ -8,6 +8,13 @@ + + +freenginx-1.31.3 +mainline version has been released. + + + freenginx-1.30.1 diff --git a/xml/versions.xml b/xml/versions.xml --- a/xml/versions.xml +++ b/xml/versions.xml @@ -9,6 +9,7 @@ +