win32/win64: upgraded pcre to 8.44.

win32/win64: upgraded openssl to 1.1.0l.
bumped version to 1.15.8.3.
2024-10-13 00:29:41 +00:00 · 2020-03-20 12:39:00 -07:00 · 2020-03-20 12:36:30 -07:00 · 2020-03-20 12:14:22 -07:00 · 2020-03-20 12:14:22 -07:00 · 2020-03-20 11:27:23 -07:00
6 changed files with 575 additions and 10 deletions
--- a/patches/nginx-1.15.8-safe_map_uri_to_path.patch
+++ b/patches/nginx-1.15.8-safe_map_uri_to_path.patch
@ -0,0 +1,26 @@
 commit a5895eb502747f396d3901a948834cd87d5fb0c3
 Author: Ruslan Ermilov <ru@nginx.com>
 Date:   Mon Dec 16 15:19:01 2019 +0300
    Tolerate '\0' in URI when mapping URI to path.
    If a rewritten URI has the null character, only a part of URI was
    copied to a memory buffer allocated for path.  In some setups this
    could be exploited to expose uninitialized memory via the Location
    header.
 diff --git a/src/http/ngx_http_core_module.c b/src/http/ngx_http_core_module.c
 index aa03fd61..a603e09c 100644
 --- a/src/http/ngx_http_core_module.c
 +++ b/src/http/ngx_http_core_module.c
@@ -1843,7 +1843,8 @@ ngx_http_map_uri_to_path(ngx_http_request_t *r, ngx_str_t *path,
         }
     }
 -    last = ngx_cpystrn(last, r->uri.data + alias, r->uri.len - alias + 1);
 +    last = ngx_copy(last, r->uri.data + alias, r->uri.len - alias);
 +    *last = '\0';
     return last;
 }
--- a/patches/ngx_http_lua-0.10.15-check-uri-and-headers-safety.patch
+++ b/patches/ngx_http_lua-0.10.15-check-uri-and-headers-safety.patch
@ -0,0 +1,374 @@
 From 881bf91da6853446398cebc1b2d6a01f8d7939d6 Mon Sep 17 00:00:00 2001
 From: doujiang24 <doujiang24@gmail.com>
 Date: Sat, 13 Jul 2019 13:06:33 +0800
 Subject: [PATCH] bugfix: ensured arguments of APIs mutating response headers
 do not contain '\r' and '\n' characters.
 Signed-off-by: Thibault Charbonnier <thibaultcha@me.com>
 ---
 src/ngx_http_lua_control.c     |  2 ++
 src/ngx_http_lua_headers_out.c |  4 ++++
 src/ngx_http_lua_util.h        | 15 +++++++++++++++
 3 files changed, 21 insertions(+)
 diff --git a/src/ngx_http_lua_control.c b/src/ngx_http_lua_control.c
 index 5cd1d64c..9c523015 100644
 --- a/src/ngx_http_lua_control.c
 +++ b/src/ngx_http_lua_control.c
@@ -248,6 +248,8 @@ ngx_http_lua_ngx_redirect(lua_State *L)
                           "the headers");
     }
 +    len = ngx_http_lua_safe_header_value_len(p, len);
 +
     uri = ngx_palloc(r->pool, len);
     if (uri == NULL) {
         return luaL_error(L, "no memory");
 diff --git a/src/ngx_http_lua_headers_out.c b/src/ngx_http_lua_headers_out.c
 index cf94bd04..4b59721e 100644
 --- a/src/ngx_http_lua_headers_out.c
 +++ b/src/ngx_http_lua_headers_out.c
@@ -491,6 +491,10 @@ ngx_http_lua_set_output_header(ngx_http_request_t *r, ngx_http_lua_ctx_t *ctx,
     dd("set header value: %.*s", (int) value.len, value.data);
 +    key.len = ngx_http_lua_safe_header_value_len(key.data, key.len);
 +
 +    value.len = ngx_http_lua_safe_header_value_len(value.data, value.len);
 +
     hv.hash = ngx_hash_key_lc(key.data, key.len);
     hv.key = key;
 diff --git a/src/ngx_http_lua_util.h b/src/ngx_http_lua_util.h
 index f08f4815..179ff3aa 100644
 --- a/src/ngx_http_lua_util.h
 +++ b/src/ngx_http_lua_util.h
@@ -260,6 +260,21 @@ void ngx_http_lua_set_sa_restart(ngx_log_t *log);
     }
 +static ngx_inline size_t
 +ngx_http_lua_safe_header_value_len(u_char *str, size_t len)
 +{
 +    size_t i;
 +
 +    for (i = 0; i < len; i++, str++) {
 +        if (*str == '\r' || *str == '\n') {
 +            return i;
 +        }
 +    }
 +
 +    return len;
 +}
 +
 +
 static ngx_inline void
 ngx_http_lua_init_ctx(ngx_http_request_t *r, ngx_http_lua_ctx_t *ctx)
 {
 From 38f587a35ef72b8cbb50114797fa875307ff0bfe Mon Sep 17 00:00:00 2001
 From: doujiang <doujiang24@gmail.com>
 Date: Fri, 20 Mar 2020 05:17:20 +0800
 Subject: [PATCH] bugfix: ensured arguments of APIs mutating uri or
 request/response headers do not contain unsafe characters. (#1654)
 Signed-off-by: Thibault Charbonnier <thibaultcha@me.com>
 ---
 src/ngx_http_lua_control.c     |   4 +-
 src/ngx_http_lua_headers_in.c  |   6 ++
 src/ngx_http_lua_headers_out.c |   8 ++-
 src/ngx_http_lua_uri.c         |  59 ++++++++++++++++
 src/ngx_http_lua_util.c        | 119 +++++++++++++++++++++++++++++++++
 src/ngx_http_lua_util.h        |  17 +----
 6 files changed, 195 insertions(+), 18 deletions(-)
 diff --git a/src/ngx_http_lua_control.c b/src/ngx_http_lua_control.c
 index 5ace1763..2fd3d174 100644
 --- a/src/ngx_http_lua_control.c
 +++ b/src/ngx_http_lua_control.c
@@ -239,7 +239,9 @@ ngx_http_lua_ngx_redirect(lua_State *L)
                           "the headers");
     }
 -    len = ngx_http_lua_safe_header_value_len(p, len);
 +    if (ngx_http_lua_check_header_safe(r, p, len) != NGX_OK) {
 +        return luaL_error(L, "attempt to use unsafe uri");
 +    }
     uri = ngx_palloc(r->pool, len);
     if (uri == NULL) {
 diff --git a/src/ngx_http_lua_headers_in.c b/src/ngx_http_lua_headers_in.c
 index 26739fa3..a284f028 100644
 --- a/src/ngx_http_lua_headers_in.c
 +++ b/src/ngx_http_lua_headers_in.c
@@ -658,6 +658,12 @@ ngx_http_lua_set_input_header(ngx_http_request_t *r, ngx_str_t key,
     dd("set header value: %.*s", (int) value.len, value.data);
 +    if (ngx_http_lua_check_header_safe(r, key.data, key.len) != NGX_OK
 +        || ngx_http_lua_check_header_safe(r, value.data, value.len) != NGX_OK)
 +    {
 +        return NGX_ERROR;
 +    }
 +
     hv.hash = ngx_hash_key_lc(key.data, key.len);
     hv.key = key;
 diff --git a/src/ngx_http_lua_headers_out.c b/src/ngx_http_lua_headers_out.c
 index 659a89f4..87f114b8 100644
 --- a/src/ngx_http_lua_headers_out.c
 +++ b/src/ngx_http_lua_headers_out.c
@@ -491,9 +491,11 @@ ngx_http_lua_set_output_header(ngx_http_request_t *r, ngx_http_lua_ctx_t *ctx,
     dd("set header value: %.*s", (int) value.len, value.data);
 -    key.len = ngx_http_lua_safe_header_value_len(key.data, key.len);
 -
 -    value.len = ngx_http_lua_safe_header_value_len(value.data, value.len);
 +    if (ngx_http_lua_check_header_safe(r, key.data, key.len) != NGX_OK
 +        || ngx_http_lua_check_header_safe(r, value.data, value.len) != NGX_OK)
 +    {
 +        return NGX_ERROR;
 +    }
     hv.hash = ngx_hash_key_lc(key.data, key.len);
     hv.key = key;
 diff --git a/src/ngx_http_lua_uri.c b/src/ngx_http_lua_uri.c
 index 3559b5c0..6818ba85 100644
 --- a/src/ngx_http_lua_uri.c
 +++ b/src/ngx_http_lua_uri.c
@@ -16,6 +16,8 @@
 static int ngx_http_lua_ngx_req_set_uri(lua_State *L);
 +static ngx_int_t ngx_http_lua_check_uri_safe(ngx_http_request_t *r,
 +    u_char *str, size_t len);
 void
@@ -55,6 +57,10 @@ ngx_http_lua_ngx_req_set_uri(lua_State *L)
         return luaL_error(L, "attempt to use zero-length uri");
     }
 +    if (ngx_http_lua_check_uri_safe(r, p, len) != NGX_OK) {
 +        return luaL_error(L, "attempt to use unsafe uri");
 +    }
 +
     if (n == 2) {
         luaL_checktype(L, 2, LUA_TBOOLEAN);
@@ -107,4 +113,57 @@ ngx_http_lua_ngx_req_set_uri(lua_State *L)
     return 0;
 }
 +
 +static ngx_inline ngx_int_t
 +ngx_http_lua_check_uri_safe(ngx_http_request_t *r, u_char *str, size_t len)
 +{
 +    size_t           i, buf_len;
 +    u_char           c;
 +    u_char          *buf, *src = str;
 +
 +                     /* %00-%1F, " ", %7F */
 +
 +    static uint32_t  unsafe[] = {
 +        0xffffffff, /* 1111 1111 1111 1111  1111 1111 1111 1111 */
 +
 +                    /* ?>=< ;:98 7654 3210  /.-, +*)( '&%$ #"!  */
 +        0x00000001, /* 0000 0000 0000 0000  0000 0000 0000 0001 */
 +
 +                    /* _^]\ [ZYX WVUT SRQP  ONML KJIH GFED CBA@ */
 +        0x00000000, /* 0000 0000 0000 0000  0000 0000 0000 0000 */
 +
 +                    /*  ~}| {zyx wvut srqp  onml kjih gfed cba` */
 +        0x80000000, /* 1000 0000 0000 0000  0000 0000 0000 0000 */
 +
 +        0x00000000, /* 0000 0000 0000 0000  0000 0000 0000 0000 */
 +        0x00000000, /* 0000 0000 0000 0000  0000 0000 0000 0000 */
 +        0x00000000, /* 0000 0000 0000 0000  0000 0000 0000 0000 */
 +        0x00000000  /* 0000 0000 0000 0000  0000 0000 0000 0000 */
 +    };
 +
 +    for (i = 0; i < len; i++, str++) {
 +        c = *str;
 +        if (unsafe[c >> 5] & (1 << (c & 0x1f))) {
 +            buf_len = ngx_http_lua_escape_log(NULL, src, len);
 +            buf = ngx_palloc(r->pool, buf_len);
 +            if (buf == NULL) {
 +                return NGX_ERROR;
 +            }
 +
 +            ngx_http_lua_escape_log(buf, src, len);
 +
 +            ngx_log_error(NGX_LOG_ERR, r->connection->log, 0,
 +                          "unsafe byte \"0x%uxd\" in uri \"%*s\"",
 +                          (unsigned) c, buf_len, buf);
 +
 +            ngx_pfree(r->pool, buf);
 +
 +            return NGX_ERROR;
 +        }
 +    }
 +
 +    return NGX_OK;
 +}
 +
 +
 /* vi:set ft=c ts=4 sw=4 et fdm=marker: */
 diff --git a/src/ngx_http_lua_util.c b/src/ngx_http_lua_util.c
 index 074957b6..42bfb91e 100644
 --- a/src/ngx_http_lua_util.c
 +++ b/src/ngx_http_lua_util.c
@@ -4261,4 +4261,123 @@ ngx_http_lua_set_sa_restart(ngx_log_t *log)
 #endif
 +size_t
 +ngx_http_lua_escape_log(u_char *dst, u_char *src, size_t size)
 +{
 +    size_t          n;
 +    u_char          c;
 +    static u_char   hex[] = "0123456789ABCDEF";
 +
 +    static uint32_t escape[] = {
 +        0xffffffff, /* 1111 1111 1111 1111  1111 1111 1111 1111 */
 +
 +                    /* ?>=< ;:98 7654 3210  /.-, +*)( '&%$ #"!  */
 +        0x00000004, /* 0000 0000 0000 0000  0000 0000 0000 0100 */
 +
 +                    /* _^]\ [ZYX WVUT SRQP  ONML KJIH GFED CBA@ */
 +        0x10000000, /* 0001 0000 0000 0000  0000 0000 0000 0000 */
 +
 +                    /*  ~}| {zyx wvut srqp  onml kjih gfed cba` */
 +        0x80000000, /* 1000 0000 0000 0000  0000 0000 0000 0000 */
 +
 +        0xffffffff, /* 1111 1111 1111 1111  1111 1111 1111 1111 */
 +        0xffffffff, /* 1111 1111 1111 1111  1111 1111 1111 1111 */
 +        0xffffffff, /* 1111 1111 1111 1111  1111 1111 1111 1111 */
 +        0xffffffff, /* 1111 1111 1111 1111  1111 1111 1111 1111 */
 +    };
 +
 +    if (dst == NULL) {
 +
 +        /* find the number of characters to be escaped */
 +
 +        n = 0;
 +
 +        while (size) {
 +            c = *src;
 +            if (escape[c >> 5] & (1 << (c & 0x1f))) {
 +                n += 4;
 +
 +            } else {
 +                n++;
 +            }
 +
 +            src++;
 +            size--;
 +        }
 +
 +        return n;
 +    }
 +
 +    while (size) {
 +        c = *src;
 +        if (escape[c >> 5] & (1 << (c & 0x1f))) {
 +            *dst++ = '\\';
 +            *dst++ = 'x';
 +            *dst++ = hex[*src >> 4];
 +            *dst++ = hex[*src & 0xf];
 +            src++;
 +
 +        } else {
 +            *dst++ = *src++;
 +        }
 +
 +        size--;
 +    }
 +
 +    return 0;
 +}
 +
 +
 +ngx_inline ngx_int_t
 +ngx_http_lua_check_header_safe(ngx_http_request_t *r, u_char *str, size_t len)
 +{
 +    size_t           i, buf_len;
 +    u_char           c;
 +    u_char          *buf, *src = str;
 +
 +                     /* %00-%1F, %7F */
 +
 +    static uint32_t  unsafe[] = {
 +        0xffffffff, /* 1111 1111 1111 1111  1111 1111 1111 1111 */
 +
 +                    /* ?>=< ;:98 7654 3210  /.-, +*)( '&%$ #"!  */
 +        0x00000000, /* 0000 0000 0000 0000  0000 0000 0000 0000 */
 +
 +                    /* _^]\ [ZYX WVUT SRQP  ONML KJIH GFED CBA@ */
 +        0x00000000, /* 0000 0000 0000 0000  0000 0000 0000 0000 */
 +
 +                    /*  ~}| {zyx wvut srqp  onml kjih gfed cba` */
 +        0x80000000, /* 1000 0000 0000 0000  0000 0000 0000 0000 */
 +
 +        0x00000000, /* 0000 0000 0000 0000  0000 0000 0000 0000 */
 +        0x00000000, /* 0000 0000 0000 0000  0000 0000 0000 0000 */
 +        0x00000000, /* 0000 0000 0000 0000  0000 0000 0000 0000 */
 +        0x00000000  /* 0000 0000 0000 0000  0000 0000 0000 0000 */
 +    };
 +
 +    for (i = 0; i < len; i++, str++) {
 +        c = *str;
 +        if (unsafe[c >> 5] & (1 << (c & 0x1f))) {
 +            buf_len = ngx_http_lua_escape_log(NULL, src, len);
 +            buf = ngx_palloc(r->pool, buf_len);
 +            if (buf == NULL) {
 +                return NGX_ERROR;
 +            }
 +
 +            ngx_http_lua_escape_log(buf, src, len);
 +
 +            ngx_log_error(NGX_LOG_ERR, r->connection->log, 0,
 +                          "unsafe byte \"0x%uxd\" in header \"%*s\"",
 +                          (unsigned) c, buf_len, buf);
 +
 +            ngx_pfree(r->pool, buf);
 +
 +            return NGX_ERROR;
 +        }
 +    }
 +
 +    return NGX_OK;
 +}
 +
 +
 /* vi:set ft=c ts=4 sw=4 et fdm=marker: */
 diff --git a/src/ngx_http_lua_util.h b/src/ngx_http_lua_util.h
 index 13bfd273..7e62dccb 100644
 --- a/src/ngx_http_lua_util.h
 +++ b/src/ngx_http_lua_util.h
@@ -241,20 +241,9 @@ void ngx_http_lua_cleanup_free(ngx_http_request_t *r,
 void ngx_http_lua_set_sa_restart(ngx_log_t *log);
 #endif
 -
 -static ngx_inline size_t
 -ngx_http_lua_safe_header_value_len(u_char *str, size_t len)
 -{
 -    size_t i;
 -
 -    for (i = 0; i < len; i++, str++) {
 -        if (*str == '\r' || *str == '\n') {
 -            return i;
 -        }
 -    }
 -
 -    return len;
 -}
 +size_t ngx_http_lua_escape_log(u_char *dst, u_char *src, size_t size);
 +ngx_int_t ngx_http_lua_check_header_safe(ngx_http_request_t *r, u_char *str,
 +    size_t len);
 static ngx_inline void
--- a/patches/patch.2019.h2.txt
+++ b/patches/patch.2019.h2.txt
@ -0,0 +1,136 @@
 --- src/http/v2/ngx_http_v2.c
 +++ src/http/v2/ngx_http_v2.c
@@ -1546,6 +1546,14 @@ ngx_http_v2_state_process_header(ngx_http_v2_connection_t *h2c, u_char *pos,
         header->name.len = h2c->state.field_end - h2c->state.field_start;
         header->name.data = h2c->state.field_start;
 +        if (header->name.len == 0) {
 +            ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0,
 +                          "client sent zero header name length");
 +
 +            return ngx_http_v2_connection_error(h2c,
 +                                                NGX_HTTP_V2_PROTOCOL_ERROR);
 +        }
 +
         return ngx_http_v2_state_field_len(h2c, pos, end);
     }
@@ -3249,10 +3257,6 @@ ngx_http_v2_validate_header(ngx_http_request_t *r, ngx_http_v2_header_t *header)
     ngx_uint_t                 i;
     ngx_http_core_srv_conf_t  *cscf;
 -    if (header->name.len == 0) {
 -        return NGX_ERROR;
 -    }
 -
     r->invalid_header = 0;
     cscf = ngx_http_get_module_srv_conf(r, ngx_http_core_module);
 --- src/http/v2/ngx_http_v2.c
 +++ src/http/v2/ngx_http_v2.c
@@ -4369,6 +4369,8 @@ ngx_http_v2_close_stream(ngx_http_v2_stream_t *stream, ngx_int_t rc)
      */
     pool = stream->pool;
 +    h2c->frames -= stream->frames;
 +
     ngx_http_free_request(stream->request, rc);
     if (pool != h2c->state.pool) {
 --- src/http/v2/ngx_http_v2.h
 +++ src/http/v2/ngx_http_v2.h
@@ -192,6 +192,8 @@ struct ngx_http_v2_stream_s {
     ngx_buf_t                       *preread;
 +    ngx_uint_t                       frames;
 +
     ngx_http_v2_out_frame_t         *free_frames;
     ngx_chain_t                     *free_frame_headers;
     ngx_chain_t                     *free_bufs;
 --- src/http/v2/ngx_http_v2_filter_module.c
 +++ src/http/v2/ngx_http_v2_filter_module.c
@@ -1669,22 +1669,34 @@ static ngx_http_v2_out_frame_t *
 ngx_http_v2_filter_get_data_frame(ngx_http_v2_stream_t *stream,
     size_t len, ngx_chain_t *first, ngx_chain_t *last)
 {
 -    u_char                    flags;
 -    ngx_buf_t                *buf;
 -    ngx_chain_t              *cl;
 -    ngx_http_v2_out_frame_t  *frame;
 +    u_char                     flags;
 +    ngx_buf_t                 *buf;
 +    ngx_chain_t               *cl;
 +    ngx_http_v2_out_frame_t   *frame;
 +    ngx_http_v2_connection_t  *h2c;
     frame = stream->free_frames;
 +    h2c = stream->connection;
     if (frame) {
         stream->free_frames = frame->next;
 -    } else {
 +    } else if (h2c->frames < 10000) {
         frame = ngx_palloc(stream->request->pool,
                            sizeof(ngx_http_v2_out_frame_t));
         if (frame == NULL) {
             return NULL;
         }
 +
 +        stream->frames++;
 +        h2c->frames++;
 +
 +    } else {
 +        ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0,
 +                      "http2 flood detected");
 +
 +        h2c->connection->error = 1;
 +        return NULL;
     }
     flags = last->buf->last_buf ? NGX_HTTP_V2_END_STREAM_FLAG : 0;
 --- src/http/v2/ngx_http_v2.c
 +++ src/http/v2/ngx_http_v2.c
@@ -273,6 +273,7 @@ ngx_http_v2_init(ngx_event_t *rev)
     h2scf = ngx_http_get_module_srv_conf(hc->conf_ctx, ngx_http_v2_module);
     h2c->concurrent_pushes = h2scf->concurrent_pushes;
 +    h2c->priority_limit = h2scf->concurrent_streams;
     h2c->pool = ngx_create_pool(h2scf->pool_size, h2c->connection->log);
     if (h2c->pool == NULL) {
@@ -1804,6 +1805,13 @@ ngx_http_v2_state_priority(ngx_http_v2_connection_t *h2c, u_char *pos,
         return ngx_http_v2_connection_error(h2c, NGX_HTTP_V2_SIZE_ERROR);
     }
 +    if (--h2c->priority_limit == 0) {
 +        ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0,
 +                      "client sent too many PRIORITY frames");
 +
 +        return ngx_http_v2_connection_error(h2c, NGX_HTTP_V2_ENHANCE_YOUR_CALM);
 +    }
 +
     if (end - pos < NGX_HTTP_V2_PRIORITY_SIZE) {
         return ngx_http_v2_state_save(h2c, pos, end,
                                       ngx_http_v2_state_priority);
@@ -3120,6 +3128,8 @@ ngx_http_v2_create_stream(ngx_http_v2_connection_t *h2c, ngx_uint_t push)
         h2c->processing++;
     }
 +    h2c->priority_limit += h2scf->concurrent_streams;
 +
     return stream;
 }
 --- src/http/v2/ngx_http_v2.h
 +++ src/http/v2/ngx_http_v2.h
@@ -122,6 +122,7 @@ struct ngx_http_v2_connection_s {
     ngx_uint_t                       processing;
     ngx_uint_t                       frames;
     ngx_uint_t                       idle;
 +    ngx_uint_t                       priority_limit;
     ngx_uint_t                       pushing;
     ngx_uint_t                       concurrent_pushes;
--- a/util/build-win32.sh
+++ b/util/build-win32.sh
@ -1,13 +1,13 @@
 #!/bin/bash
-PCRE=pcre-8.42
+PCRE=pcre-8.44
 ZLIB=zlib-1.2.11
-OPENSSL=openssl-1.1.0j
+OPENSSL=openssl-1.1.0l
 JOBS=12
-# wget https://www.openssl.org/source/openssl-1.1.0h.tar.gz
+# wget https://www.openssl.org/source/openssl-1.1.0l.tar.gz
 # wget http://zlib.net/zlib-1.2.11.tar.gz
-# wget ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/pcre-8.42.tar.gz
+# wget ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/pcre-8.44.tar.gz
 rm -rf objs || exit 1
 mkdir -p objs/lib || exit 1
--- a/util/mirror-tarballs
+++ b/util/mirror-tarballs
@ -73,6 +73,10 @@ if [ "$answer" = "Y" ]; then
    echo "$info_txt applying the daemon_destroy_pool patch for nginx"
    patch -p1 < $root/patches/nginx-$main_ver-daemon_destroy_pool.patch || exit 1
    echo
    echo "$info_txt applying the init_cycle_pool_release patch for nginx"
    patch -p1 < $root/patches/nginx-$main_ver-init_cycle_pool_release.patch || exit 1
    echo
 fi
 answer=`$root/util/ver-ge "$main_ver" 1.5.12`
@ -398,9 +402,27 @@ if [ "$main_ver" = "1.9.7" ]; then
    echo
 fi
-if [ "$main_ver" = "1.13.6" ]; then
+answer=`$root/util/ver-ge "$main_ver" 1.9.5`
-    echo "$info_txt applying the init_cycle_pool_release patch for nginx"
+if [ "$answer" = "Y" ]; then
-    patch -p1 < $root/patches/nginx-$main_ver-init_cycle_pool_release.patch || exit 1
+    answer=`$root/util/ver-ge "$main_ver" 1.16.1`
    if [ "$answer" = "N" ]; then
        echo "$info_txt applying the patch for nginx security advisory (CVE-2019-9511 CVE-2019-9513 CVE-2019-9516)"
        patch -p0 < $root/patches/patch.2019.h2.txt || exit 1
        echo
    elif [ `$root/util/ver-ge "$main_ver" 1.17.0` = "Y" ]; then
        answer=`$root/util/ver-ge "$main_ver" 1.17.3`
        if [ "$answer" = "N" ]; then
            echo "$info_txt applying the patch for nginx security advisory (CVE-2019-9511 CVE-2019-9513 CVE-2019-9516)"
            patch -p0 < $root/patches/patch.2019.h2.txt || exit 1
            echo
        fi
    fi
 fi
 answer=`$root/util/ver-ge "$main_ver" 1.17.7`
 if [ "$answer" = "N" ]; then
    echo "$info_txt applying the safe_map_uri_to_path patch to nginx"
    patch -p1 < $root/patches/nginx-$main_ver-safe_map_uri_to_path.patch || exit 1
    echo
 fi
@ -459,9 +481,9 @@ mv openresty-xss-nginx-module-* xss-nginx-module-$ver || exit 1
 #################################
 ver=0.3.1rc1
-$root/util/get-tarball "https://github.com/simplresty/ngx_devel_kit/tarball/v$ver" -O ngx_devel_kit-$ver.tar.gz
+$root/util/get-tarball "https://github.com/vision5/ngx_devel_kit/tarball/v$ver" -O ngx_devel_kit-$ver.tar.gz
 tar -xzf ngx_devel_kit-$ver.tar.gz || exit 1
-mv simplresty-ngx_devel_kit-* ngx_devel_kit-$ver || exit 1
+mv vision5-ngx_devel_kit-* ngx_devel_kit-$ver || exit 1
 #################################
@ -505,6 +527,13 @@ $root/util/get-tarball "https://github.com/openresty/lua-nginx-module/archive/v$
 tar -xzf lua-nginx-module-$ver.tar.gz || exit 1
 mv lua-nginx-module-$ver ngx_lua-$ver || exit 1
 cd ngx_lua-$ver || exit 1
 echo "applying ngx_http_lua-$ver-check-uri-and-headers-safety patch"
 patch -p1 < $root/patches/ngx_http_lua-$ver-check-uri-and-headers-safety.patch || exit 1
 cd .. || exit 1
 #################################
 ver=0.07
--- a/util/ver
+++ b/util/ver
@ -1,7 +1,7 @@
 #!/bin/bash
 main_ver=1.15.8
-minor_ver=1rc2
+minor_ver=3
 version=$main_ver.$minor_ver
 echo $version
Author	SHA1	Message	Date
Yichun Zhang (agentzh)	562d89c992	win32/win64: upgraded pcre to 8.44.	2020-03-20 12:39:00 -07:00
Yichun Zhang (agentzh)	9a9a7f4f15	win32/win64: upgraded openssl to 1.1.0l.	2020-03-20 12:36:30 -07:00
Thibault Charbonnier	a076e9bce9	bumped version to 1.15.8.3.	2020-03-20 12:14:22 -07:00
Thibault Charbonnier	7cdcb022dc	bugfix: applied the safe_map_uri_to_path patch to NGINX.	2020-03-20 12:14:22 -07:00
Thibault Charbonnier	d75894cc8c	bugfix: mirror-tarballs: applied the init_cycle_pool_release patch to NGINX cores >= 1.13.6 instead of 1.13.6 only.	2020-03-20 11:27:23 -07:00
Thibault Charbonnier	27ba2dde33	bugfix: applied the patch for security advisory to NGINX cores < 1.17.3 and < 1.16.1 (CVE-2019-9511 CVE-2019-9513 CVE-2019-9516).	2020-03-20 11:27:23 -07:00
Thibault Charbonnier	efd60c0a45	bugfix: applied the check-uri-and-headers-safety patch to ngx_http_lua v0.10.15.	2020-03-20 11:27:23 -07:00
Thibault Charbonnier	c262740bf7	bugfix: mirror-tarballs: updated ngx_devel_kit's GitHub owner org to vision5. The script started failing with: mv: cannot stat 'simplresty-ngx_devel_kit-*': No such file or directory Since the GitHub organization owning the ngx_devel_kit repository was updated to be 'vision5' instead of 'simplresty'.	2020-03-20 11:27:23 -07:00
Thibault Charbonnier	a220be6247	Revert "bugfix: applied the patch for security advisory to NGINX cores < 1.14.1 and < 1.15.6 (CVE-2019-9511 CVE-2019-9513 CVE-2019-9516)." This reverts commit `aa16a49e93`.	2020-03-20 11:26:42 -07:00
Thibault Charbonnier	71dc30470c	bumped version to 1.15.8.2.	2019-08-14 14:38:11 -07:00
Thibault Charbonnier	aa16a49e93	bugfix: applied the patch for security advisory to NGINX cores < 1.14.1 and < 1.15.6 (CVE-2019-9511 CVE-2019-9513 CVE-2019-9516).	2019-08-14 14:34:32 -07:00
Yichun Zhang (agentzh)	2b40d7b8ee	bumped version to 1.15.8.1.	2019-05-16 14:25:44 -07:00