Merge branch 'nginx' (nginx-1.17.10).
Change-Id: I8dcbd7764f453c11e61cd461f490ff56f7943a60
Signed-off-by: Piotr Sikora <piotrsikora@google.com>
diff --git a/.hgtags b/.hgtags
index c9a99e0..f76fc20 100644
--- a/.hgtags
+++ b/.hgtags
@@ -448,3 +448,4 @@
e56295fe0ea76bf53b06bffa77a2d3a9a335cb8c release-1.17.7
fdacd273711ddf20f778c1fb91529ab53979a454 release-1.17.8
5e8d52bca714d4b85284ddb649d1ba4a3ca978a8 release-1.17.9
+c44970de01474f6f3e01b0adea85ec1d03e3a5f2 release-1.17.10
diff --git a/BUILD b/BUILD
index 2723306..afc53d0 100644
--- a/BUILD
+++ b/BUILD
@@ -1520,5 +1520,5 @@
preinst = "@nginx_pkgoss//:debian_preinst",
prerm = "@nginx_pkgoss//:debian_prerm",
section = "httpd",
- version = "1.17.9",
+ version = "1.17.10",
)
diff --git a/build.bzl b/build.bzl
index ec52740..bd58fdf 100644
--- a/build.bzl
+++ b/build.bzl
@@ -673,9 +673,9 @@
name = "nginx_pkgoss",
build_file_content = _PKGOSS_BUILD_FILE.format(nginx = nginx) +
_PKGOSS_BUILD_FILE_TAIL,
- commit = "30e01364d235891447d90fa9b28352118f0f1114", # nginx-1.17.9
+ commit = "b39b0ee49ef6dada8a5bb30135bdccb9d812f0c8", # nginx-1.17.10
remote = "https://nginx.googlesource.com/nginx-pkgoss",
- shallow_since = "1583256764 +0300",
+ shallow_since = "1586876524 +0300",
)
def nginx_repositories_zlib(bind):
diff --git a/docs/xml/nginx/changes.xml b/docs/xml/nginx/changes.xml
index 818b983..ada3f84 100644
--- a/docs/xml/nginx/changes.xml
+++ b/docs/xml/nginx/changes.xml
@@ -5,6 +5,20 @@
<change_log title="nginx">
+<changes ver="1.17.10" date="2020-04-14">
+
+<change type="feature">
+<para lang="ru">
+директива auth_delay.
+</para>
+<para lang="en">
+the "auth_delay" directive.
+</para>
+</change>
+
+</changes>
+
+
<changes ver="1.17.9" date="2020-03-03">
<change type="change">
diff --git a/misc/GNUmakefile b/misc/GNUmakefile
index 0055730..7f39e9d 100644
--- a/misc/GNUmakefile
+++ b/misc/GNUmakefile
@@ -6,7 +6,7 @@
CC = cl
OBJS = objs.msvc8
-OPENSSL = openssl-1.1.1d
+OPENSSL = openssl-1.1.1f
ZLIB = zlib-1.2.11
PCRE = pcre-8.44
diff --git a/src/core/nginx.h b/src/core/nginx.h
index 656d5c1..4929092 100644
--- a/src/core/nginx.h
+++ b/src/core/nginx.h
@@ -13,8 +13,8 @@
#define NGINX_NAME "nginx"
#endif
-#define nginx_version 1017009
-#define NGINX_VERSION "1.17.9"
+#define nginx_version 1017010
+#define NGINX_VERSION "1.17.10"
#define NGINX_VER NGINX_NAME "/" NGINX_VERSION
#ifdef NGX_BUILD
diff --git a/src/http/modules/ngx_http_auth_basic_module.c b/src/http/modules/ngx_http_auth_basic_module.c
index a6f9ec4..ed9df34 100644
--- a/src/http/modules/ngx_http_auth_basic_module.c
+++ b/src/http/modules/ngx_http_auth_basic_module.c
@@ -25,7 +25,6 @@
ngx_str_t *passwd, ngx_str_t *realm);
static ngx_int_t ngx_http_auth_basic_set_realm(ngx_http_request_t *r,
ngx_str_t *realm);
-static void ngx_http_auth_basic_close(ngx_file_t *file);
static void *ngx_http_auth_basic_create_loc_conf(ngx_conf_t *cf);
static char *ngx_http_auth_basic_merge_loc_conf(ngx_conf_t *cf,
void *parent, void *child);
@@ -177,8 +176,8 @@
offset);
if (n == NGX_ERROR) {
- ngx_http_auth_basic_close(&file);
- return NGX_HTTP_INTERNAL_SERVER_ERROR;
+ rc = NGX_HTTP_INTERNAL_SERVER_ERROR;
+ goto cleanup;
}
if (n == 0) {
@@ -219,12 +218,11 @@
if (buf[i] == LF || buf[i] == CR || buf[i] == ':') {
buf[i] = '\0';
- ngx_http_auth_basic_close(&file);
-
pwd.len = i - passwd;
pwd.data = &buf[passwd];
- return ngx_http_auth_basic_crypt_handler(r, &pwd, &realm);
+ rc = ngx_http_auth_basic_crypt_handler(r, &pwd, &realm);
+ goto cleanup;
}
break;
@@ -251,8 +249,6 @@
offset += n;
}
- ngx_http_auth_basic_close(&file);
-
if (state == sw_passwd) {
pwd.len = i - passwd;
pwd.data = ngx_pnalloc(r->pool, pwd.len + 1);
@@ -262,14 +258,26 @@
ngx_cpystrn(pwd.data, &buf[passwd], pwd.len + 1);
- return ngx_http_auth_basic_crypt_handler(r, &pwd, &realm);
+ rc = ngx_http_auth_basic_crypt_handler(r, &pwd, &realm);
+ goto cleanup;
}
ngx_log_error(NGX_LOG_ERR, r->connection->log, 0,
"user \"%V\" was not found in \"%s\"",
&r->headers_in.user, user_file.data);
- return ngx_http_auth_basic_set_realm(r, &realm);
+ rc = ngx_http_auth_basic_set_realm(r, &realm);
+
+cleanup:
+
+ if (ngx_close_file(file.fd) == NGX_FILE_ERROR) {
+ ngx_log_error(NGX_LOG_ALERT, r->connection->log, ngx_errno,
+ ngx_close_file_n " \"%s\" failed", user_file.data);
+ }
+
+ ngx_explicit_memzero(buf, NGX_HTTP_AUTH_BUF_SIZE);
+
+ return rc;
}
@@ -338,15 +346,6 @@
return NGX_HTTP_UNAUTHORIZED;
}
-static void
-ngx_http_auth_basic_close(ngx_file_t *file)
-{
- if (ngx_close_file(file->fd) == NGX_FILE_ERROR) {
- ngx_log_error(NGX_LOG_ALERT, file->log, ngx_errno,
- ngx_close_file_n " \"%s\" failed", file->name.data);
- }
-}
-
static void *
ngx_http_auth_basic_create_loc_conf(ngx_conf_t *cf)
diff --git a/src/http/ngx_http_core_module.c b/src/http/ngx_http_core_module.c
index d4f7b9d..a7ae9d9 100644
--- a/src/http/ngx_http_core_module.c
+++ b/src/http/ngx_http_core_module.c
@@ -21,6 +21,9 @@
#define NGX_HTTP_REQUEST_BODY_FILE_CLEAN 2
+static ngx_int_t ngx_http_core_auth_delay(ngx_http_request_t *r);
+static void ngx_http_core_auth_delay_handler(ngx_http_request_t *r);
+
static ngx_int_t ngx_http_core_find_location(ngx_http_request_t *r);
static ngx_int_t ngx_http_core_find_static_location(ngx_http_request_t *r,
ngx_http_location_tree_node_t *node);
@@ -520,6 +523,13 @@
offsetof(ngx_http_core_loc_conf_t, satisfy),
&ngx_http_core_satisfy },
+ { ngx_string("auth_delay"),
+ NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1,
+ ngx_conf_set_msec_slot,
+ NGX_HTTP_LOC_CONF_OFFSET,
+ offsetof(ngx_http_core_loc_conf_t, auth_delay),
+ NULL },
+
{ ngx_string("internal"),
NGX_HTTP_LOC_CONF|NGX_CONF_NOARGS,
ngx_http_core_internal,
@@ -1124,6 +1134,10 @@
/* rc == NGX_ERROR || rc == NGX_HTTP_... */
+ if (rc == NGX_HTTP_UNAUTHORIZED) {
+ return ngx_http_core_auth_delay(r);
+ }
+
ngx_http_finalize_request(r, rc);
return NGX_OK;
}
@@ -1141,12 +1155,17 @@
access_code = r->access_code;
if (access_code) {
+ r->access_code = 0;
+
if (access_code == NGX_HTTP_FORBIDDEN) {
ngx_log_error(NGX_LOG_ERR, r->connection->log, 0,
"access forbidden by rule");
}
- r->access_code = 0;
+ if (access_code == NGX_HTTP_UNAUTHORIZED) {
+ return ngx_http_core_auth_delay(r);
+ }
+
ngx_http_finalize_request(r, access_code);
return NGX_OK;
}
@@ -1156,6 +1175,65 @@
}
+static ngx_int_t
+ngx_http_core_auth_delay(ngx_http_request_t *r)
+{
+ ngx_http_core_loc_conf_t *clcf;
+
+ clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module);
+
+ if (clcf->auth_delay == 0) {
+ ngx_http_finalize_request(r, NGX_HTTP_UNAUTHORIZED);
+ return NGX_OK;
+ }
+
+ ngx_log_error(NGX_LOG_INFO, r->connection->log, 0,
+ "delaying unauthorized request");
+
+ if (ngx_handle_read_event(r->connection->read, 0) != NGX_OK) {
+ return NGX_HTTP_INTERNAL_SERVER_ERROR;
+ }
+
+ r->read_event_handler = ngx_http_test_reading;
+ r->write_event_handler = ngx_http_core_auth_delay_handler;
+
+ r->connection->write->delayed = 1;
+ ngx_add_timer(r->connection->write, clcf->auth_delay);
+
+ /*
+ * trigger an additional event loop iteration
+ * to ensure constant-time processing
+ */
+
+ ngx_post_event(r->connection->write, &ngx_posted_next_events);
+
+ return NGX_OK;
+}
+
+
+static void
+ngx_http_core_auth_delay_handler(ngx_http_request_t *r)
+{
+ ngx_event_t *wev;
+
+ ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
+ "auth delay handler");
+
+ wev = r->connection->write;
+
+ if (wev->delayed) {
+
+ if (ngx_handle_write_event(wev, 0) != NGX_OK) {
+ ngx_http_finalize_request(r, NGX_HTTP_INTERNAL_SERVER_ERROR);
+ }
+
+ return;
+ }
+
+ ngx_http_finalize_request(r, NGX_HTTP_UNAUTHORIZED);
+}
+
+
ngx_int_t
ngx_http_core_content_phase(ngx_http_request_t *r,
ngx_http_phase_handler_t *ph)
@@ -3394,6 +3472,7 @@
clcf->client_body_buffer_size = NGX_CONF_UNSET_SIZE;
clcf->client_body_timeout = NGX_CONF_UNSET_MSEC;
clcf->satisfy = NGX_CONF_UNSET_UINT;
+ clcf->auth_delay = NGX_CONF_UNSET_MSEC;
clcf->if_modified_since = NGX_CONF_UNSET_UINT;
clcf->max_ranges = NGX_CONF_UNSET_UINT;
clcf->client_body_in_file_only = NGX_CONF_UNSET_UINT;
@@ -3609,6 +3688,7 @@
|NGX_HTTP_KEEPALIVE_DISABLE_MSIE6));
ngx_conf_merge_uint_value(conf->satisfy, prev->satisfy,
NGX_HTTP_SATISFY_ALL);
+ ngx_conf_merge_msec_value(conf->auth_delay, prev->auth_delay, 0);
ngx_conf_merge_uint_value(conf->if_modified_since, prev->if_modified_since,
NGX_HTTP_IMS_EXACT);
ngx_conf_merge_uint_value(conf->max_ranges, prev->max_ranges,
diff --git a/src/http/ngx_http_core_module.h b/src/http/ngx_http_core_module.h
index 2360978..57413b5 100644
--- a/src/http/ngx_http_core_module.h
+++ b/src/http/ngx_http_core_module.h
@@ -363,6 +363,7 @@
ngx_msec_t lingering_time; /* lingering_time */
ngx_msec_t lingering_timeout; /* lingering_timeout */
ngx_msec_t resolver_timeout; /* resolver_timeout */
+ ngx_msec_t auth_delay; /* auth_delay */
ngx_resolver_t *resolver; /* resolver */
