bugfix: updated the check-uri-and-headers-safety patch.

The script started failing with:

    mv: cannot stat 'simplresty-ngx_devel_kit-*': No such file or directory

Since the GitHub organization owning the ngx_devel_kit repository was
updated to be 'vision5' instead of 'simplresty'.

patches/nginx-1.15.8-safe_map_uri_to_path.patch

@@ -0,0 +1,26 @@
+commit a5895eb502747f396d3901a948834cd87d5fb0c3
+Author: Ruslan Ermilov <ru@nginx.com>
+Date:   Mon Dec 16 15:19:01 2019 +0300
+
+    Tolerate '\0' in URI when mapping URI to path.
+    
+    If a rewritten URI has the null character, only a part of URI was
+    copied to a memory buffer allocated for path.  In some setups this
+    could be exploited to expose uninitialized memory via the Location
+    header.
+
+diff --git a/src/http/ngx_http_core_module.c b/src/http/ngx_http_core_module.c
+index aa03fd61..a603e09c 100644
+--- a/src/http/ngx_http_core_module.c
++++ b/src/http/ngx_http_core_module.c
+@@ -1843,7 +1843,8 @@ ngx_http_map_uri_to_path(ngx_http_request_t *r, ngx_str_t *path,
+         }
+     }
+ 
+-    last = ngx_cpystrn(last, r->uri.data + alias, r->uri.len - alias + 1);
++    last = ngx_copy(last, r->uri.data + alias, r->uri.len - alias);
++    *last = '\0';
+ 
+     return last;
+ }
+

patches/ngx_http_lua-0.10.15-check-uri-and-headers-safety.patch

@@ -0,0 +1,239 @@
+diff --git a/src/ngx_http_lua_control.c b/src/ngx_http_lua_control.c
+index 5cd1d64c..d8022cc5 100644
+--- a/src/ngx_http_lua_control.c
++++ b/src/ngx_http_lua_control.c
+@@ -248,6 +248,10 @@ ngx_http_lua_ngx_redirect(lua_State *L)
+                           "the headers");
+     }
+ 
++    if (ngx_http_lua_check_unsafe_string(r, p, len, "redirect uri") != NGX_OK) {
++        return luaL_error(L, "attempt to set unsafe redirect uri");
++    }
++
+     uri = ngx_palloc(r->pool, len);
+     if (uri == NULL) {
+         return luaL_error(L, "no memory");
+diff --git a/src/ngx_http_lua_headers_in.c b/src/ngx_http_lua_headers_in.c
+index c52cd13d..b8befc34 100644
+--- a/src/ngx_http_lua_headers_in.c
++++ b/src/ngx_http_lua_headers_in.c
+@@ -664,6 +664,14 @@ ngx_http_lua_set_input_header(ngx_http_request_t *r, ngx_str_t key,
+ 
+     dd("set header value: %.*s", (int) value.len, value.data);
+ 
++    if (ngx_http_lua_check_unsafe_string(r, key.data, key.len,
++                                         "header name") != NGX_OK
++        || ngx_http_lua_check_unsafe_string(r, value.data, value.len,
++                                            "header value") != NGX_OK)
++    {
++        return NGX_ERROR;
++    }
++
+     hv.hash = ngx_hash_key_lc(key.data, key.len);
+     hv.key = key;
+ 
+diff --git a/src/ngx_http_lua_headers_out.c b/src/ngx_http_lua_headers_out.c
+index cf94bd04..8cd36841 100644
+--- a/src/ngx_http_lua_headers_out.c
++++ b/src/ngx_http_lua_headers_out.c
+@@ -491,6 +491,14 @@ ngx_http_lua_set_output_header(ngx_http_request_t *r, ngx_http_lua_ctx_t *ctx,
+ 
+     dd("set header value: %.*s", (int) value.len, value.data);
+ 
++    if (ngx_http_lua_check_unsafe_string(r, key.data, key.len,
++                                         "header name") != NGX_OK
++        || ngx_http_lua_check_unsafe_string(r, value.data, value.len,
++                                            "header value") != NGX_OK)
++    {
++        return NGX_ERROR;
++    }
++
+     hv.hash = ngx_hash_key_lc(key.data, key.len);
+     hv.key = key;
+ 
+diff --git a/src/ngx_http_lua_uri.c b/src/ngx_http_lua_uri.c
+index 3559b5c0..569cb502 100644
+--- a/src/ngx_http_lua_uri.c
++++ b/src/ngx_http_lua_uri.c
+@@ -55,6 +55,10 @@ ngx_http_lua_ngx_req_set_uri(lua_State *L)
+         return luaL_error(L, "attempt to use zero-length uri");
+     }
+ 
++    if (ngx_http_lua_check_unsafe_string(r, p, len, "uri") != NGX_OK) {
++        return luaL_error(L, "attempt to set unsafe uri");
++    }
++
+     if (n == 2) {
+ 
+         luaL_checktype(L, 2, LUA_TBOOLEAN);
+@@ -107,4 +111,5 @@ ngx_http_lua_ngx_req_set_uri(lua_State *L)
+     return 0;
+ }
+ 
++
+ /* vi:set ft=c ts=4 sw=4 et fdm=marker: */
+diff --git a/src/ngx_http_lua_util.c b/src/ngx_http_lua_util.c
+index c12262e8..515e14ad 100644
+--- a/src/ngx_http_lua_util.c
++++ b/src/ngx_http_lua_util.c
+@@ -4267,4 +4267,71 @@ ngx_http_lua_set_sa_restart(ngx_log_t *log)
+ #endif
+ 
+ 
++size_t
++ngx_http_lua_escape_log(u_char *dst, u_char *src, size_t size)
++{
++    size_t          n;
++    u_char          c;
++    static u_char   hex[] = "0123456789ABCDEF";
++
++    static uint32_t escape[] = {
++        0xffffffff, /* 1111 1111 1111 1111  1111 1111 1111 1111 */
++
++                    /* ?>=< ;:98 7654 3210  /.-, +*)( '&%$ #"!  */
++        0x00000004, /* 0000 0000 0000 0000  0000 0000 0000 0100 */
++
++                    /* _^]\ [ZYX WVUT SRQP  ONML KJIH GFED CBA@ */
++        0x10000000, /* 0001 0000 0000 0000  0000 0000 0000 0000 */
++
++                    /*  ~}| {zyx wvut srqp  onml kjih gfed cba` */
++        0x80000000, /* 1000 0000 0000 0000  0000 0000 0000 0000 */
++
++        0xffffffff, /* 1111 1111 1111 1111  1111 1111 1111 1111 */
++        0xffffffff, /* 1111 1111 1111 1111  1111 1111 1111 1111 */
++        0xffffffff, /* 1111 1111 1111 1111  1111 1111 1111 1111 */
++        0xffffffff, /* 1111 1111 1111 1111  1111 1111 1111 1111 */
++    };
++
++    if (dst == NULL) {
++
++        /* find the number of characters to be escaped */
++
++        n = 0;
++
++        while (size) {
++            c = *src;
++            if (escape[c >> 5] & (1 << (c & 0x1f))) {
++                n += 4;
++
++            } else {
++                n++;
++            }
++
++            src++;
++            size--;
++        }
++
++        return n;
++    }
++
++    while (size) {
++        c = *src;
++        if (escape[c >> 5] & (1 << (c & 0x1f))) {
++            *dst++ = '\\';
++            *dst++ = 'x';
++            *dst++ = hex[*src >> 4];
++            *dst++ = hex[*src & 0xf];
++            src++;
++
++        } else {
++            *dst++ = *src++;
++        }
++
++        size--;
++    }
++
++    return 0;
++}
++
++
+ /* vi:set ft=c ts=4 sw=4 et fdm=marker: */
+diff --git a/src/ngx_http_lua_util.h b/src/ngx_http_lua_util.h
+index f08f4815..e1f4d75d 100644
+--- a/src/ngx_http_lua_util.h
++++ b/src/ngx_http_lua_util.h
+@@ -132,6 +132,12 @@ ngx_http_lua_ffi_check_context(ngx_http_lua_ctx_t *ctx, unsigned flags,
+     }
+ 
+ 
++#define ngx_http_lua_check_if_abortable(L, ctx)                              \
++    if ((ctx)->no_abort) {                                                   \
++        return luaL_error(L, "attempt to abort with pending subrequests");   \
++    }
++
++
+ #define ngx_http_lua_ssl_get_ctx(ssl_conn)                                   \
+     SSL_get_ex_data(ssl_conn, ngx_http_lua_ssl_ctx_index)
+ 
+@@ -254,10 +260,7 @@ void ngx_http_lua_cleanup_free(ngx_http_request_t *r,
+ void ngx_http_lua_set_sa_restart(ngx_log_t *log);
+ #endif
+ 
+-#define ngx_http_lua_check_if_abortable(L, ctx)                              \
+-    if ((ctx)->no_abort) {                                                   \
+-        return luaL_error(L, "attempt to abort with pending subrequests");   \
+-    }
++size_t ngx_http_lua_escape_log(u_char *dst, u_char *src, size_t size);
+ 
+ 
+ static ngx_inline void
+@@ -485,6 +488,59 @@ ngx_inet_get_port(struct sockaddr *sa)
+ #endif
+ 
+ 
++static ngx_inline ngx_int_t
++ngx_http_lua_check_unsafe_string(ngx_http_request_t *r, u_char *str, size_t len,
++    const char *name)
++{
++    size_t           i, buf_len;
++    u_char           c;
++    u_char          *buf, *src = str;
++
++                     /* %00-%1F, %7F */
++
++    static uint32_t  unsafe[] = {
++        0xffffffff, /* 1111 1111 1111 1111  1111 1111 1111 1111 */
++
++                    /* ?>=< ;:98 7654 3210  /.-, +*)( '&%$ #"!  */
++        0x00000000, /* 0000 0000 0000 0000  0000 0000 0000 0000 */
++
++                    /* _^]\ [ZYX WVUT SRQP  ONML KJIH GFED CBA@ */
++        0x00000000, /* 0000 0000 0000 0000  0000 0000 0000 0000 */
++
++                    /*  ~}| {zyx wvut srqp  onml kjih gfed cba` */
++        0x80000000, /* 1000 0000 0000 0000  0000 0000 0000 0000 */
++
++        0x00000000, /* 0000 0000 0000 0000  0000 0000 0000 0000 */
++        0x00000000, /* 0000 0000 0000 0000  0000 0000 0000 0000 */
++        0x00000000, /* 0000 0000 0000 0000  0000 0000 0000 0000 */
++        0x00000000  /* 0000 0000 0000 0000  0000 0000 0000 0000 */
++    };
++
++    for (i = 0; i < len; i++, str++) {
++        c = *str;
++        if (unsafe[c >> 5] & (1 << (c & 0x1f))) {
++            buf_len = ngx_http_lua_escape_log(NULL, src, len);
++            buf = ngx_palloc(r->pool, buf_len);
++            if (buf == NULL) {
++                return NGX_ERROR;
++            }
++
++            ngx_http_lua_escape_log(buf, src, len);
++
++            ngx_log_error(NGX_LOG_ERR, r->connection->log, 0,
++                          "unsafe byte \"0x%uxd\" in %s \"%*s\"",
++                          (unsigned) c, name, buf_len, buf);
++
++            ngx_pfree(r->pool, buf);
++
++            return NGX_ERROR;
++        }
++    }
++
++    return NGX_OK;
++}
++
++
+ extern ngx_uint_t  ngx_http_lua_location_hash;
+ extern ngx_uint_t  ngx_http_lua_content_length_hash;
+ 

patches/ngx_http_lua-0.10.15-fix_location_capture_content_length_chunked.patch

@@ -0,0 +1,293 @@
+commit 96c330c3cb2a5abc95d293854801c7ba2896d1da
+Author: Thibault Charbonnier <thibaultcha@me.com>
+Date:   Mon Mar 23 19:40:47 2020 -0700
+
+    bugfix: prevented request smuggling in the ngx.location.capture API.
+
+diff --git a/src/ngx_http_lua_subrequest.c b/src/ngx_http_lua_subrequest.c
+index 19a88d99..9f7036a0 100644
+--- a/src/ngx_http_lua_subrequest.c
++++ b/src/ngx_http_lua_subrequest.c
+@@ -57,8 +57,6 @@ static ngx_str_t  ngx_http_lua_content_length_header_key =
+     ngx_string("Content-Length");
+ 
+ 
+-static ngx_int_t ngx_http_lua_set_content_length_header(ngx_http_request_t *r,
+-    off_t len);
+ static ngx_int_t ngx_http_lua_adjust_subrequest(ngx_http_request_t *sr,
+     ngx_uint_t method, int forward_body,
+     ngx_http_request_body_t *body, unsigned vars_action,
+@@ -79,7 +77,7 @@ static void ngx_http_lua_cancel_subreq(ngx_http_request_t *r);
+ static ngx_int_t ngx_http_post_request_to_head(ngx_http_request_t *r);
+ static ngx_int_t ngx_http_lua_copy_in_file_request_body(ngx_http_request_t *r);
+ static ngx_int_t ngx_http_lua_copy_request_headers(ngx_http_request_t *sr,
+-    ngx_http_request_t *r);
++    ngx_http_request_t *pr, ngx_uint_t prcl);
+ 
+ 
+ enum {
+@@ -634,8 +632,8 @@ ngx_http_lua_adjust_subrequest(ngx_http_request_t *sr, ngx_uint_t method,
+     unsigned vars_action, ngx_array_t *extra_vars)
+ {
+     ngx_http_request_t          *r;
+-    ngx_int_t                    rc;
+     ngx_http_core_main_conf_t   *cmcf;
++    ngx_uint_t                   prcl = 0;
+     size_t                       size;
+ 
+     r = sr->parent;
+@@ -645,46 +643,32 @@ ngx_http_lua_adjust_subrequest(ngx_http_request_t *sr, ngx_uint_t method,
+     if (body) {
+         sr->request_body = body;
+ 
+-        rc = ngx_http_lua_set_content_length_header(sr,
+-                                                    body->buf
+-                                                    ? ngx_buf_size(body->buf)
+-                                                    : 0);
+-
+-        if (rc != NGX_OK) {
+-            return NGX_ERROR;
+-        }
+-
+     } else if (!always_forward_body
+                && method != NGX_HTTP_PUT
+                && method != NGX_HTTP_POST
+                && r->headers_in.content_length_n > 0)
+     {
+-        rc = ngx_http_lua_set_content_length_header(sr, 0);
+-        if (rc != NGX_OK) {
+-            return NGX_ERROR;
+-        }
+-
+-#if 1
+         sr->request_body = NULL;
+-#endif
+ 
+     } else {
+-        if (ngx_http_lua_copy_request_headers(sr, r) != NGX_OK) {
+-            return NGX_ERROR;
++        if (!r->headers_in.chunked) {
++            prcl = 1;
+         }
+ 
+-        if (sr->request_body) {
++        if (sr->request_body && sr->request_body->temp_file) {
+ 
+             /* deep-copy the request body */
+ 
+-            if (sr->request_body->temp_file) {
+-                if (ngx_http_lua_copy_in_file_request_body(sr) != NGX_OK) {
+-                    return NGX_ERROR;
+-                }
++            if (ngx_http_lua_copy_in_file_request_body(sr) != NGX_OK) {
++                return NGX_ERROR;
+             }
+         }
+     }
+ 
++    if (ngx_http_lua_copy_request_headers(sr, r, prcl) != NGX_OK) {
++        return NGX_ERROR;
++    }
++
+     sr->method = method;
+ 
+     switch (method) {
+@@ -1134,100 +1118,6 @@ ngx_http_lua_post_subrequest(ngx_http_request_t *r, void *data, ngx_int_t rc)
+ }
+ 
+ 
+-static ngx_int_t
+-ngx_http_lua_set_content_length_header(ngx_http_request_t *r, off_t len)
+-{
+-    ngx_table_elt_t                 *h, *header;
+-    u_char                          *p;
+-    ngx_list_part_t                 *part;
+-    ngx_http_request_t              *pr;
+-    ngx_uint_t                       i;
+-
+-    r->headers_in.content_length_n = len;
+-
+-    if (ngx_list_init(&r->headers_in.headers, r->pool, 20,
+-                      sizeof(ngx_table_elt_t)) != NGX_OK)
+-    {
+-        return NGX_ERROR;
+-    }
+-
+-    h = ngx_list_push(&r->headers_in.headers);
+-    if (h == NULL) {
+-        return NGX_ERROR;
+-    }
+-
+-    h->key = ngx_http_lua_content_length_header_key;
+-    h->lowcase_key = ngx_pnalloc(r->pool, h->key.len);
+-    if (h->lowcase_key == NULL) {
+-        return NGX_ERROR;
+-    }
+-
+-    ngx_strlow(h->lowcase_key, h->key.data, h->key.len);
+-
+-    r->headers_in.content_length = h;
+-
+-    p = ngx_palloc(r->pool, NGX_OFF_T_LEN);
+-    if (p == NULL) {
+-        return NGX_ERROR;
+-    }
+-
+-    h->value.data = p;
+-
+-    h->value.len = ngx_sprintf(h->value.data, "%O", len) - h->value.data;
+-
+-    h->hash = ngx_http_lua_content_length_hash;
+-
+-#if 0
+-    dd("content length hash: %lu == %lu", (unsigned long) h->hash,
+-       ngx_hash_key_lc((u_char *) "Content-Length",
+-                       sizeof("Content-Length") - 1));
+-#endif
+-
+-    dd("r content length: %.*s",
+-       (int) r->headers_in.content_length->value.len,
+-       r->headers_in.content_length->value.data);
+-
+-    pr = r->parent;
+-
+-    if (pr == NULL) {
+-        return NGX_OK;
+-    }
+-
+-    /* forward the parent request's all other request headers */
+-
+-    part = &pr->headers_in.headers.part;
+-    header = part->elts;
+-
+-    for (i = 0; /* void */; i++) {
+-
+-        if (i >= part->nelts) {
+-            if (part->next == NULL) {
+-                break;
+-            }
+-
+-            part = part->next;
+-            header = part->elts;
+-            i = 0;
+-        }
+-
+-        if (header[i].key.len == sizeof("Content-Length") - 1
+-            && ngx_strncasecmp(header[i].key.data, (u_char *) "Content-Length",
+-                               sizeof("Content-Length") - 1) == 0)
+-        {
+-            continue;
+-        }
+-
+-        if (ngx_http_lua_set_input_header(r, header[i].key,
+-                                          header[i].value, 0) == NGX_ERROR)
+-        {
+-            return NGX_ERROR;
+-        }
+-    }
+-
+-    return NGX_OK;
+-}
+-
+-
+ static void
+ ngx_http_lua_handle_subreq_responses(ngx_http_request_t *r,
+     ngx_http_lua_ctx_t *ctx)
+@@ -1742,11 +1632,17 @@ ngx_http_lua_copy_in_file_request_body(ngx_http_request_t *r)
+ 
+ 
+ static ngx_int_t
+-ngx_http_lua_copy_request_headers(ngx_http_request_t *sr, ngx_http_request_t *r)
++ngx_http_lua_copy_request_headers(ngx_http_request_t *sr,
++    ngx_http_request_t *pr, ngx_uint_t prcl)
+ {
+-    ngx_table_elt_t                 *header;
++    ngx_table_elt_t                 *clh, *header;
+     ngx_list_part_t                 *part;
+     ngx_uint_t                       i;
++    u_char                          *p;
++    off_t                            len;
++
++    dd("before: parent req headers count: %d",
++       (int) pr->headers_in.headers.part.nelts);
+ 
+     if (ngx_list_init(&sr->headers_in.headers, sr->pool, 20,
+                       sizeof(ngx_table_elt_t)) != NGX_OK)
+@@ -1754,10 +1650,46 @@ ngx_http_lua_copy_request_headers(ngx_http_request_t *sr, ngx_http_request_t *r)
+         return NGX_ERROR;
+     }
+ 
+-    dd("before: parent req headers count: %d",
+-       (int) r->headers_in.headers.part.nelts);
++    if (sr->request_body && !prcl) {
++
++        /* craft our own Content-Length */
++
++        len = sr->request_body->buf ? ngx_buf_size(sr->request_body->buf) : 0;
++
++        clh = ngx_list_push(&sr->headers_in.headers);
++        if (clh == NULL) {
++            return NGX_ERROR;
++        }
+ 
+-    part = &r->headers_in.headers.part;
++        clh->hash = ngx_http_lua_content_length_hash;
++        clh->key = ngx_http_lua_content_length_header_key;
++        clh->lowcase_key = ngx_pnalloc(sr->pool, clh->key.len);
++        if (clh->lowcase_key == NULL) {
++            return NGX_ERROR;
++        }
++
++        ngx_strlow(clh->lowcase_key, clh->key.data, clh->key.len);
++
++        p = ngx_palloc(sr->pool, NGX_OFF_T_LEN);
++        if (p == NULL) {
++            return NGX_ERROR;
++        }
++
++        clh->value.data = p;
++        clh->value.len = ngx_sprintf(clh->value.data, "%O", len)
++                         - clh->value.data;
++
++        sr->headers_in.content_length = clh;
++        sr->headers_in.content_length_n = len;
++
++        dd("sr crafted content-length: %.*s",
++           (int) sr->headers_in.content_length->value.len,
++           sr->headers_in.content_length->value.data);
++    }
++
++    /* copy the parent request's headers */
++
++    part = &pr->headers_in.headers.part;
+     header = part->elts;
+ 
+     for (i = 0; /* void */; i++) {
+@@ -1772,7 +1704,14 @@ ngx_http_lua_copy_request_headers(ngx_http_request_t *sr, ngx_http_request_t *r)
+             i = 0;
+         }
+ 
+-        dd("setting request header %.*s: %.*s", (int) header[i].key.len,
++        if (!prcl && header[i].key.len == sizeof("Content-Length") - 1
++            && ngx_strncasecmp(header[i].key.data, (u_char *) "Content-Length",
++                               sizeof("Content-Length") - 1) == 0)
++        {
++            continue;
++        }
++
++        dd("sr copied req header %.*s: %.*s", (int) header[i].key.len,
+            header[i].key.data, (int) header[i].value.len,
+            header[i].value.data);
+ 
+@@ -1784,9 +1723,10 @@ ngx_http_lua_copy_request_headers(ngx_http_request_t *sr, ngx_http_request_t *r)
+     }
+ 
+     dd("after: parent req headers count: %d",
+-       (int) r->headers_in.headers.part.nelts);
++       (int) pr->headers_in.headers.part.nelts);
+ 
+     return NGX_OK;
+ }
+ 
++
+ /* vi:set ft=c ts=4 sw=4 et fdm=marker: */

patches/patch.2019.h2.txt

@@ -0,0 +1,136 @@
+--- src/http/v2/ngx_http_v2.c
++++ src/http/v2/ngx_http_v2.c
+@@ -1546,6 +1546,14 @@ ngx_http_v2_state_process_header(ngx_http_v2_connection_t *h2c, u_char *pos,
+         header->name.len = h2c->state.field_end - h2c->state.field_start;
+         header->name.data = h2c->state.field_start;
+ 
++        if (header->name.len == 0) {
++            ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0,
++                          "client sent zero header name length");
++
++            return ngx_http_v2_connection_error(h2c,
++                                                NGX_HTTP_V2_PROTOCOL_ERROR);
++        }
++
+         return ngx_http_v2_state_field_len(h2c, pos, end);
+     }
+ 
+@@ -3249,10 +3257,6 @@ ngx_http_v2_validate_header(ngx_http_request_t *r, ngx_http_v2_header_t *header)
+     ngx_uint_t                 i;
+     ngx_http_core_srv_conf_t  *cscf;
+ 
+-    if (header->name.len == 0) {
+-        return NGX_ERROR;
+-    }
+-
+     r->invalid_header = 0;
+ 
+     cscf = ngx_http_get_module_srv_conf(r, ngx_http_core_module);
+--- src/http/v2/ngx_http_v2.c
++++ src/http/v2/ngx_http_v2.c
+@@ -4369,6 +4369,8 @@ ngx_http_v2_close_stream(ngx_http_v2_stream_t *stream, ngx_int_t rc)
+      */
+     pool = stream->pool;
+ 
++    h2c->frames -= stream->frames;
++
+     ngx_http_free_request(stream->request, rc);
+ 
+     if (pool != h2c->state.pool) {
+--- src/http/v2/ngx_http_v2.h
++++ src/http/v2/ngx_http_v2.h
+@@ -192,6 +192,8 @@ struct ngx_http_v2_stream_s {
+ 
+     ngx_buf_t                       *preread;
+ 
++    ngx_uint_t                       frames;
++
+     ngx_http_v2_out_frame_t         *free_frames;
+     ngx_chain_t                     *free_frame_headers;
+     ngx_chain_t                     *free_bufs;
+--- src/http/v2/ngx_http_v2_filter_module.c
++++ src/http/v2/ngx_http_v2_filter_module.c
+@@ -1669,22 +1669,34 @@ static ngx_http_v2_out_frame_t *
+ ngx_http_v2_filter_get_data_frame(ngx_http_v2_stream_t *stream,
+     size_t len, ngx_chain_t *first, ngx_chain_t *last)
+ {
+-    u_char                    flags;
+-    ngx_buf_t                *buf;
+-    ngx_chain_t              *cl;
+-    ngx_http_v2_out_frame_t  *frame;
++    u_char                     flags;
++    ngx_buf_t                 *buf;
++    ngx_chain_t               *cl;
++    ngx_http_v2_out_frame_t   *frame;
++    ngx_http_v2_connection_t  *h2c;
+ 
+     frame = stream->free_frames;
++    h2c = stream->connection;
+ 
+     if (frame) {
+         stream->free_frames = frame->next;
+ 
+-    } else {
++    } else if (h2c->frames < 10000) {
+         frame = ngx_palloc(stream->request->pool,
+                            sizeof(ngx_http_v2_out_frame_t));
+         if (frame == NULL) {
+             return NULL;
+         }
++
++        stream->frames++;
++        h2c->frames++;
++
++    } else {
++        ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0,
++                      "http2 flood detected");
++
++        h2c->connection->error = 1;
++        return NULL;
+     }
+ 
+     flags = last->buf->last_buf ? NGX_HTTP_V2_END_STREAM_FLAG : 0;
+--- src/http/v2/ngx_http_v2.c
++++ src/http/v2/ngx_http_v2.c
+@@ -273,6 +273,7 @@ ngx_http_v2_init(ngx_event_t *rev)
+     h2scf = ngx_http_get_module_srv_conf(hc->conf_ctx, ngx_http_v2_module);
+ 
+     h2c->concurrent_pushes = h2scf->concurrent_pushes;
++    h2c->priority_limit = h2scf->concurrent_streams;
+ 
+     h2c->pool = ngx_create_pool(h2scf->pool_size, h2c->connection->log);
+     if (h2c->pool == NULL) {
+@@ -1804,6 +1805,13 @@ ngx_http_v2_state_priority(ngx_http_v2_connection_t *h2c, u_char *pos,
+         return ngx_http_v2_connection_error(h2c, NGX_HTTP_V2_SIZE_ERROR);
+     }
+ 
++    if (--h2c->priority_limit == 0) {
++        ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0,
++                      "client sent too many PRIORITY frames");
++
++        return ngx_http_v2_connection_error(h2c, NGX_HTTP_V2_ENHANCE_YOUR_CALM);
++    }
++
+     if (end - pos < NGX_HTTP_V2_PRIORITY_SIZE) {
+         return ngx_http_v2_state_save(h2c, pos, end,
+                                       ngx_http_v2_state_priority);
+@@ -3120,6 +3128,8 @@ ngx_http_v2_create_stream(ngx_http_v2_connection_t *h2c, ngx_uint_t push)
+         h2c->processing++;
+     }
+ 
++    h2c->priority_limit += h2scf->concurrent_streams;
++
+     return stream;
+ }
+ 
+--- src/http/v2/ngx_http_v2.h
++++ src/http/v2/ngx_http_v2.h
+@@ -122,6 +122,7 @@ struct ngx_http_v2_connection_s {
+     ngx_uint_t                       processing;
+     ngx_uint_t                       frames;
+     ngx_uint_t                       idle;
++    ngx_uint_t                       priority_limit;
+ 
+     ngx_uint_t                       pushing;
+     ngx_uint_t                       concurrent_pushes;
+

util/build-win32.sh

@@ -1,13 +1,13 @@
 #!/bin/bash
 
-PCRE=pcre-8.42
+PCRE=pcre-8.44
 ZLIB=zlib-1.2.11
-OPENSSL=openssl-1.1.0j
+OPENSSL=openssl-1.1.0l
 JOBS=12
 
-# wget https://www.openssl.org/source/openssl-1.1.0h.tar.gz
+# wget https://www.openssl.org/source/openssl-1.1.0l.tar.gz
 # wget http://zlib.net/zlib-1.2.11.tar.gz
-# wget ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/pcre-8.42.tar.gz
+# wget ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/pcre-8.44.tar.gz
 
 rm -rf objs || exit 1
 mkdir -p objs/lib || exit 1

util/mirror-tarballs

@@ -73,6 +73,10 @@ if [ "$answer" = "Y" ]; then
     echo "$info_txt applying the daemon_destroy_pool patch for nginx"
     patch -p1 < $root/patches/nginx-$main_ver-daemon_destroy_pool.patch || exit 1
     echo
+
+    echo "$info_txt applying the init_cycle_pool_release patch for nginx"
+    patch -p1 < $root/patches/nginx-$main_ver-init_cycle_pool_release.patch || exit 1
+    echo
 fi
 
 answer=`$root/util/ver-ge "$main_ver" 1.5.12`
@@ -398,9 +402,27 @@ if [ "$main_ver" = "1.9.7" ]; then
     echo
 fi
 
-if [ "$main_ver" = "1.13.6" ]; then
-    echo "$info_txt applying the init_cycle_pool_release patch for nginx"
-    patch -p1 < $root/patches/nginx-$main_ver-init_cycle_pool_release.patch || exit 1
+answer=`$root/util/ver-ge "$main_ver" 1.9.5`
+if [ "$answer" = "Y" ]; then
+    answer=`$root/util/ver-ge "$main_ver" 1.16.1`
+    if [ "$answer" = "N" ]; then
+        echo "$info_txt applying the patch for nginx security advisory (CVE-2019-9511 CVE-2019-9513 CVE-2019-9516)"
+        patch -p0 < $root/patches/patch.2019.h2.txt || exit 1
+        echo
+    elif [ `$root/util/ver-ge "$main_ver" 1.17.0` = "Y" ]; then
+        answer=`$root/util/ver-ge "$main_ver" 1.17.3`
+        if [ "$answer" = "N" ]; then
+            echo "$info_txt applying the patch for nginx security advisory (CVE-2019-9511 CVE-2019-9513 CVE-2019-9516)"
+            patch -p0 < $root/patches/patch.2019.h2.txt || exit 1
+            echo
+        fi
+    fi
+fi
+
+answer=`$root/util/ver-ge "$main_ver" 1.17.7`
+if [ "$answer" = "N" ]; then
+    echo "$info_txt applying the safe_map_uri_to_path patch to nginx"
+    patch -p1 < $root/patches/nginx-$main_ver-safe_map_uri_to_path.patch || exit 1
     echo
 fi
 
@@ -459,9 +481,9 @@ mv openresty-xss-nginx-module-* xss-nginx-module-$ver || exit 1
 #################################
 
 ver=0.3.1rc1
-$root/util/get-tarball "https://github.com/simplresty/ngx_devel_kit/tarball/v$ver" -O ngx_devel_kit-$ver.tar.gz
+$root/util/get-tarball "https://github.com/vision5/ngx_devel_kit/tarball/v$ver" -O ngx_devel_kit-$ver.tar.gz
 tar -xzf ngx_devel_kit-$ver.tar.gz || exit 1
-mv simplresty-ngx_devel_kit-* ngx_devel_kit-$ver || exit 1
+mv vision5-ngx_devel_kit-* ngx_devel_kit-$ver || exit 1
 
 #################################
 
@@ -505,6 +527,18 @@ $root/util/get-tarball "https://github.com/openresty/lua-nginx-module/archive/v$
 tar -xzf lua-nginx-module-$ver.tar.gz || exit 1
 mv lua-nginx-module-$ver ngx_lua-$ver || exit 1
 
+cd ngx_lua-$ver || exit 1
+
+echo "$info_txt applying ngx_http_lua-$ver-check-uri-and-headers-safety patch"
+patch -p1 < $root/patches/ngx_http_lua-$ver-check-uri-and-headers-safety.patch || exit 1
+echo
+
+echo "$info_txt applying ngx_http_lua-$ver-fix_location_capture_content_length_chunked patch"
+patch -p1 < $root/patches/ngx_http_lua-$ver-fix_location_capture_content_length_chunked.patch || exit 1
+echo
+
+cd .. || exit 1
+
 #################################
 
 ver=0.07

util/ver

@@ -1,7 +1,7 @@
 #!/bin/bash
 
 main_ver=1.15.8
-minor_ver=1
+minor_ver=4
 version=$main_ver.$minor_ver
 echo $version