bugfix: updated the check-uri-and-headers-safety patch.

bumped version to 1.15.8.4.
bugfix: applied the fix_location_capture_content_length_chunked patch to ngx_http_lua v0.10.15.
2024-10-13 00:29:41 +00:00 · 2020-03-31 12:33:20 -07:00 · 2020-03-25 14:53:50 -07:00 · 2020-03-25 14:52:45 -07:00 · 2020-03-20 12:39:00 -07:00 · 2020-03-20 12:36:30 -07:00
6 changed files with 588 additions and 44 deletions
--- a/patches/nginx-1.15.8-safe_map_uri_to_path.patch
+++ b/patches/nginx-1.15.8-safe_map_uri_to_path.patch
@ -0,0 +1,26 @@
+commit a5895eb502747f396d3901a948834cd87d5fb0c3
+Author: Ruslan Ermilov <ru@nginx.com>
+Date:   Mon Dec 16 15:19:01 2019 +0300
+
+    Tolerate '\0' in URI when mapping URI to path.
+    
+    If a rewritten URI has the null character, only a part of URI was
+    copied to a memory buffer allocated for path.  In some setups this
+    could be exploited to expose uninitialized memory via the Location
+    header.
+
+diff --git a/src/http/ngx_http_core_module.c b/src/http/ngx_http_core_module.c
+index aa03fd61..a603e09c 100644
+--- a/src/http/ngx_http_core_module.c
+++ b/src/http/ngx_http_core_module.c
+@@ -1843,7 +1843,8 @@ ngx_http_map_uri_to_path(ngx_http_request_t *r, ngx_str_t *path,
+         }
+     }
+ 
+-    last = ngx_cpystrn(last, r->uri.data + alias, r->uri.len - alias + 1);
+    last = ngx_copy(last, r->uri.data + alias, r->uri.len - alias);
+    *last = '\0';
+ 
+     return last;
+ }
+
--- a/patches/ngx_http_lua-0.10.15-check-uri-and-headers-safety.patch
+++ b/patches/ngx_http_lua-0.10.15-check-uri-and-headers-safety.patch
@ -0,0 +1,239 @@
+diff --git a/src/ngx_http_lua_control.c b/src/ngx_http_lua_control.c
+index 5cd1d64c..d8022cc5 100644
+--- a/src/ngx_http_lua_control.c
+++ b/src/ngx_http_lua_control.c
+@@ -248,6 +248,10 @@ ngx_http_lua_ngx_redirect(lua_State *L)
+                           "the headers");
+     }
+ 
+    if (ngx_http_lua_check_unsafe_string(r, p, len, "redirect uri") != NGX_OK) {
+        return luaL_error(L, "attempt to set unsafe redirect uri");
+    }
+
+     uri = ngx_palloc(r->pool, len);
+     if (uri == NULL) {
+         return luaL_error(L, "no memory");
+diff --git a/src/ngx_http_lua_headers_in.c b/src/ngx_http_lua_headers_in.c
+index c52cd13d..b8befc34 100644
+--- a/src/ngx_http_lua_headers_in.c
+++ b/src/ngx_http_lua_headers_in.c
+@@ -664,6 +664,14 @@ ngx_http_lua_set_input_header(ngx_http_request_t *r, ngx_str_t key,
+ 
+     dd("set header value: %.*s", (int) value.len, value.data);
+ 
+    if (ngx_http_lua_check_unsafe_string(r, key.data, key.len,
+                                         "header name") != NGX_OK
+        || ngx_http_lua_check_unsafe_string(r, value.data, value.len,
+                                            "header value") != NGX_OK)
+    {
+        return NGX_ERROR;
+    }
+
+     hv.hash = ngx_hash_key_lc(key.data, key.len);
+     hv.key = key;
+ 
+diff --git a/src/ngx_http_lua_headers_out.c b/src/ngx_http_lua_headers_out.c
+index cf94bd04..8cd36841 100644
+--- a/src/ngx_http_lua_headers_out.c
+++ b/src/ngx_http_lua_headers_out.c
+@@ -491,6 +491,14 @@ ngx_http_lua_set_output_header(ngx_http_request_t *r, ngx_http_lua_ctx_t *ctx,
+ 
+     dd("set header value: %.*s", (int) value.len, value.data);
+ 
+    if (ngx_http_lua_check_unsafe_string(r, key.data, key.len,
+                                         "header name") != NGX_OK
+        || ngx_http_lua_check_unsafe_string(r, value.data, value.len,
+                                            "header value") != NGX_OK)
+    {
+        return NGX_ERROR;
+    }
+
+     hv.hash = ngx_hash_key_lc(key.data, key.len);
+     hv.key = key;
+ 
+diff --git a/src/ngx_http_lua_uri.c b/src/ngx_http_lua_uri.c
+index 3559b5c0..569cb502 100644
+--- a/src/ngx_http_lua_uri.c
+++ b/src/ngx_http_lua_uri.c
+@@ -55,6 +55,10 @@ ngx_http_lua_ngx_req_set_uri(lua_State *L)
+         return luaL_error(L, "attempt to use zero-length uri");
+     }
+ 
+    if (ngx_http_lua_check_unsafe_string(r, p, len, "uri") != NGX_OK) {
+        return luaL_error(L, "attempt to set unsafe uri");
+    }
+
+     if (n == 2) {
+ 
+         luaL_checktype(L, 2, LUA_TBOOLEAN);
+@@ -107,4 +111,5 @@ ngx_http_lua_ngx_req_set_uri(lua_State *L)
+     return 0;
+ }
+ 
+
+ /* vi:set ft=c ts=4 sw=4 et fdm=marker: */
+diff --git a/src/ngx_http_lua_util.c b/src/ngx_http_lua_util.c
+index c12262e8..515e14ad 100644
+--- a/src/ngx_http_lua_util.c
+++ b/src/ngx_http_lua_util.c
+@@ -4267,4 +4267,71 @@ ngx_http_lua_set_sa_restart(ngx_log_t *log)
+ #endif
+ 
+ 
+size_t
+ngx_http_lua_escape_log(u_char *dst, u_char *src, size_t size)
+{
+    size_t          n;
+    u_char          c;
+    static u_char   hex[] = "0123456789ABCDEF";
+
+    static uint32_t escape[] = {
+        0xffffffff, /* 1111 1111 1111 1111  1111 1111 1111 1111 */
+
+                    /* ?>=< ;:98 7654 3210  /.-, +*)( '&%$ #"!  */
+        0x00000004, /* 0000 0000 0000 0000  0000 0000 0000 0100 */
+
+                    /* _^]\ [ZYX WVUT SRQP  ONML KJIH GFED CBA@ */
+        0x10000000, /* 0001 0000 0000 0000  0000 0000 0000 0000 */
+
+                    /*  ~}| {zyx wvut srqp  onml kjih gfed cba` */
+        0x80000000, /* 1000 0000 0000 0000  0000 0000 0000 0000 */
+
+        0xffffffff, /* 1111 1111 1111 1111  1111 1111 1111 1111 */
+        0xffffffff, /* 1111 1111 1111 1111  1111 1111 1111 1111 */
+        0xffffffff, /* 1111 1111 1111 1111  1111 1111 1111 1111 */
+        0xffffffff, /* 1111 1111 1111 1111  1111 1111 1111 1111 */
+    };
+
+    if (dst == NULL) {
+
+        /* find the number of characters to be escaped */
+
+        n = 0;
+
+        while (size) {
+            c = *src;
+            if (escape[c >> 5] & (1 << (c & 0x1f))) {
+                n += 4;
+
+            } else {
+                n++;
+            }
+
+            src++;
+            size--;
+        }
+
+        return n;
+    }
+
+    while (size) {
+        c = *src;
+        if (escape[c >> 5] & (1 << (c & 0x1f))) {
+            *dst++ = '\\';
+            *dst++ = 'x';
+            *dst++ = hex[*src >> 4];
+            *dst++ = hex[*src & 0xf];
+            src++;
+
+        } else {
+            *dst++ = *src++;
+        }
+
+        size--;
+    }
+
+    return 0;
+}
+
+
+ /* vi:set ft=c ts=4 sw=4 et fdm=marker: */
+diff --git a/src/ngx_http_lua_util.h b/src/ngx_http_lua_util.h
+index f08f4815..e1f4d75d 100644
+--- a/src/ngx_http_lua_util.h
+++ b/src/ngx_http_lua_util.h
+@@ -132,6 +132,12 @@ ngx_http_lua_ffi_check_context(ngx_http_lua_ctx_t *ctx, unsigned flags,
+     }
+ 
+ 
+#define ngx_http_lua_check_if_abortable(L, ctx)                              \
+    if ((ctx)->no_abort) {                                                   \
+        return luaL_error(L, "attempt to abort with pending subrequests");   \
+    }
+
+
+ #define ngx_http_lua_ssl_get_ctx(ssl_conn)                                   \
+     SSL_get_ex_data(ssl_conn, ngx_http_lua_ssl_ctx_index)
+ 
+@@ -254,10 +260,7 @@ void ngx_http_lua_cleanup_free(ngx_http_request_t *r,
+ void ngx_http_lua_set_sa_restart(ngx_log_t *log);
+ #endif
+ 
+-#define ngx_http_lua_check_if_abortable(L, ctx)                              \
+-    if ((ctx)->no_abort) {                                                   \
+-        return luaL_error(L, "attempt to abort with pending subrequests");   \
+-    }
+size_t ngx_http_lua_escape_log(u_char *dst, u_char *src, size_t size);
+ 
+ 
+ static ngx_inline void
+@@ -485,6 +488,59 @@ ngx_inet_get_port(struct sockaddr *sa)
+ #endif
+ 
+ 
+static ngx_inline ngx_int_t
+ngx_http_lua_check_unsafe_string(ngx_http_request_t *r, u_char *str, size_t len,
+    const char *name)
+{
+    size_t           i, buf_len;
+    u_char           c;
+    u_char          *buf, *src = str;
+
+                     /* %00-%1F, %7F */
+
+    static uint32_t  unsafe[] = {
+        0xffffffff, /* 1111 1111 1111 1111  1111 1111 1111 1111 */
+
+                    /* ?>=< ;:98 7654 3210  /.-, +*)( '&%$ #"!  */
+        0x00000000, /* 0000 0000 0000 0000  0000 0000 0000 0000 */
+
+                    /* _^]\ [ZYX WVUT SRQP  ONML KJIH GFED CBA@ */
+        0x00000000, /* 0000 0000 0000 0000  0000 0000 0000 0000 */
+
+                    /*  ~}| {zyx wvut srqp  onml kjih gfed cba` */
+        0x80000000, /* 1000 0000 0000 0000  0000 0000 0000 0000 */
+
+        0x00000000, /* 0000 0000 0000 0000  0000 0000 0000 0000 */
+        0x00000000, /* 0000 0000 0000 0000  0000 0000 0000 0000 */
+        0x00000000, /* 0000 0000 0000 0000  0000 0000 0000 0000 */
+        0x00000000  /* 0000 0000 0000 0000  0000 0000 0000 0000 */
+    };
+
+    for (i = 0; i < len; i++, str++) {
+        c = *str;
+        if (unsafe[c >> 5] & (1 << (c & 0x1f))) {
+            buf_len = ngx_http_lua_escape_log(NULL, src, len);
+            buf = ngx_palloc(r->pool, buf_len);
+            if (buf == NULL) {
+                return NGX_ERROR;
+            }
+
+            ngx_http_lua_escape_log(buf, src, len);
+
+            ngx_log_error(NGX_LOG_ERR, r->connection->log, 0,
+                          "unsafe byte \"0x%uxd\" in %s \"%*s\"",
+                          (unsigned) c, name, buf_len, buf);
+
+            ngx_pfree(r->pool, buf);
+
+            return NGX_ERROR;
+        }
+    }
+
+    return NGX_OK;
+}
+
+
+ extern ngx_uint_t  ngx_http_lua_location_hash;
+ extern ngx_uint_t  ngx_http_lua_content_length_hash;
+ 
--- a/patches/ngx_http_lua-0.10.15-fix_location_capture_content_length_chunked.patch
+++ b/patches/ngx_http_lua-0.10.15-fix_location_capture_content_length_chunked.patch
@ -0,0 +1,293 @@
+commit 96c330c3cb2a5abc95d293854801c7ba2896d1da
+Author: Thibault Charbonnier <thibaultcha@me.com>
+Date:   Mon Mar 23 19:40:47 2020 -0700
+
+    bugfix: prevented request smuggling in the ngx.location.capture API.
+
+diff --git a/src/ngx_http_lua_subrequest.c b/src/ngx_http_lua_subrequest.c
+index 19a88d99..9f7036a0 100644
+--- a/src/ngx_http_lua_subrequest.c
+++ b/src/ngx_http_lua_subrequest.c
+@@ -57,8 +57,6 @@ static ngx_str_t  ngx_http_lua_content_length_header_key =
+     ngx_string("Content-Length");
+ 
+ 
+-static ngx_int_t ngx_http_lua_set_content_length_header(ngx_http_request_t *r,
+-    off_t len);
+ static ngx_int_t ngx_http_lua_adjust_subrequest(ngx_http_request_t *sr,
+     ngx_uint_t method, int forward_body,
+     ngx_http_request_body_t *body, unsigned vars_action,
+@@ -79,7 +77,7 @@ static void ngx_http_lua_cancel_subreq(ngx_http_request_t *r);
+ static ngx_int_t ngx_http_post_request_to_head(ngx_http_request_t *r);
+ static ngx_int_t ngx_http_lua_copy_in_file_request_body(ngx_http_request_t *r);
+ static ngx_int_t ngx_http_lua_copy_request_headers(ngx_http_request_t *sr,
+-    ngx_http_request_t *r);
+    ngx_http_request_t *pr, ngx_uint_t prcl);
+ 
+ 
+ enum {
+@@ -634,8 +632,8 @@ ngx_http_lua_adjust_subrequest(ngx_http_request_t *sr, ngx_uint_t method,
+     unsigned vars_action, ngx_array_t *extra_vars)
+ {
+     ngx_http_request_t          *r;
+-    ngx_int_t                    rc;
+     ngx_http_core_main_conf_t   *cmcf;
+    ngx_uint_t                   prcl = 0;
+     size_t                       size;
+ 
+     r = sr->parent;
+@@ -645,46 +643,32 @@ ngx_http_lua_adjust_subrequest(ngx_http_request_t *sr, ngx_uint_t method,
+     if (body) {
+         sr->request_body = body;
+ 
+-        rc = ngx_http_lua_set_content_length_header(sr,
+-                                                    body->buf
+-                                                    ? ngx_buf_size(body->buf)
+-                                                    : 0);
+-
+-        if (rc != NGX_OK) {
+-            return NGX_ERROR;
+-        }
+-
+     } else if (!always_forward_body
+                && method != NGX_HTTP_PUT
+                && method != NGX_HTTP_POST
+                && r->headers_in.content_length_n > 0)
+     {
+-        rc = ngx_http_lua_set_content_length_header(sr, 0);
+-        if (rc != NGX_OK) {
+-            return NGX_ERROR;
+-        }
+-
+-#if 1
+         sr->request_body = NULL;
+-#endif
+ 
+     } else {
+-        if (ngx_http_lua_copy_request_headers(sr, r) != NGX_OK) {
+-            return NGX_ERROR;
+        if (!r->headers_in.chunked) {
+            prcl = 1;
+         }
+ 
+-        if (sr->request_body) {
+        if (sr->request_body && sr->request_body->temp_file) {
+ 
+             /* deep-copy the request body */
+ 
+-            if (sr->request_body->temp_file) {
+-                if (ngx_http_lua_copy_in_file_request_body(sr) != NGX_OK) {
+-                    return NGX_ERROR;
+-                }
+            if (ngx_http_lua_copy_in_file_request_body(sr) != NGX_OK) {
+                return NGX_ERROR;
+             }
+         }
+     }
+ 
+    if (ngx_http_lua_copy_request_headers(sr, r, prcl) != NGX_OK) {
+        return NGX_ERROR;
+    }
+
+     sr->method = method;
+ 
+     switch (method) {
+@@ -1134,100 +1118,6 @@ ngx_http_lua_post_subrequest(ngx_http_request_t *r, void *data, ngx_int_t rc)
+ }
+ 
+ 
+-static ngx_int_t
+-ngx_http_lua_set_content_length_header(ngx_http_request_t *r, off_t len)
+-{
+-    ngx_table_elt_t                 *h, *header;
+-    u_char                          *p;
+-    ngx_list_part_t                 *part;
+-    ngx_http_request_t              *pr;
+-    ngx_uint_t                       i;
+-
+-    r->headers_in.content_length_n = len;
+-
+-    if (ngx_list_init(&r->headers_in.headers, r->pool, 20,
+-                      sizeof(ngx_table_elt_t)) != NGX_OK)
+-    {
+-        return NGX_ERROR;
+-    }
+-
+-    h = ngx_list_push(&r->headers_in.headers);
+-    if (h == NULL) {
+-        return NGX_ERROR;
+-    }
+-
+-    h->key = ngx_http_lua_content_length_header_key;
+-    h->lowcase_key = ngx_pnalloc(r->pool, h->key.len);
+-    if (h->lowcase_key == NULL) {
+-        return NGX_ERROR;
+-    }
+-
+-    ngx_strlow(h->lowcase_key, h->key.data, h->key.len);
+-
+-    r->headers_in.content_length = h;
+-
+-    p = ngx_palloc(r->pool, NGX_OFF_T_LEN);
+-    if (p == NULL) {
+-        return NGX_ERROR;
+-    }
+-
+-    h->value.data = p;
+-
+-    h->value.len = ngx_sprintf(h->value.data, "%O", len) - h->value.data;
+-
+-    h->hash = ngx_http_lua_content_length_hash;
+-
+-#if 0
+-    dd("content length hash: %lu == %lu", (unsigned long) h->hash,
+-       ngx_hash_key_lc((u_char *) "Content-Length",
+-                       sizeof("Content-Length") - 1));
+-#endif
+-
+-    dd("r content length: %.*s",
+-       (int) r->headers_in.content_length->value.len,
+-       r->headers_in.content_length->value.data);
+-
+-    pr = r->parent;
+-
+-    if (pr == NULL) {
+-        return NGX_OK;
+-    }
+-
+-    /* forward the parent request's all other request headers */
+-
+-    part = &pr->headers_in.headers.part;
+-    header = part->elts;
+-
+-    for (i = 0; /* void */; i++) {
+-
+-        if (i >= part->nelts) {
+-            if (part->next == NULL) {
+-                break;
+-            }
+-
+-            part = part->next;
+-            header = part->elts;
+-            i = 0;
+-        }
+-
+-        if (header[i].key.len == sizeof("Content-Length") - 1
+-            && ngx_strncasecmp(header[i].key.data, (u_char *) "Content-Length",
+-                               sizeof("Content-Length") - 1) == 0)
+-        {
+-            continue;
+-        }
+-
+-        if (ngx_http_lua_set_input_header(r, header[i].key,
+-                                          header[i].value, 0) == NGX_ERROR)
+-        {
+-            return NGX_ERROR;
+-        }
+-    }
+-
+-    return NGX_OK;
+-}
+-
+-
+ static void
+ ngx_http_lua_handle_subreq_responses(ngx_http_request_t *r,
+     ngx_http_lua_ctx_t *ctx)
+@@ -1742,11 +1632,17 @@ ngx_http_lua_copy_in_file_request_body(ngx_http_request_t *r)
+ 
+ 
+ static ngx_int_t
+-ngx_http_lua_copy_request_headers(ngx_http_request_t *sr, ngx_http_request_t *r)
+ngx_http_lua_copy_request_headers(ngx_http_request_t *sr,
+    ngx_http_request_t *pr, ngx_uint_t prcl)
+ {
+-    ngx_table_elt_t                 *header;
+    ngx_table_elt_t                 *clh, *header;
+     ngx_list_part_t                 *part;
+     ngx_uint_t                       i;
+    u_char                          *p;
+    off_t                            len;
+
+    dd("before: parent req headers count: %d",
+       (int) pr->headers_in.headers.part.nelts);
+ 
+     if (ngx_list_init(&sr->headers_in.headers, sr->pool, 20,
+                       sizeof(ngx_table_elt_t)) != NGX_OK)
+@@ -1754,10 +1650,46 @@ ngx_http_lua_copy_request_headers(ngx_http_request_t *sr, ngx_http_request_t *r)
+         return NGX_ERROR;
+     }
+ 
+-    dd("before: parent req headers count: %d",
+-       (int) r->headers_in.headers.part.nelts);
+    if (sr->request_body && !prcl) {
+
+        /* craft our own Content-Length */
+
+        len = sr->request_body->buf ? ngx_buf_size(sr->request_body->buf) : 0;
+
+        clh = ngx_list_push(&sr->headers_in.headers);
+        if (clh == NULL) {
+            return NGX_ERROR;
+        }
+ 
+-    part = &r->headers_in.headers.part;
+        clh->hash = ngx_http_lua_content_length_hash;
+        clh->key = ngx_http_lua_content_length_header_key;
+        clh->lowcase_key = ngx_pnalloc(sr->pool, clh->key.len);
+        if (clh->lowcase_key == NULL) {
+            return NGX_ERROR;
+        }
+
+        ngx_strlow(clh->lowcase_key, clh->key.data, clh->key.len);
+
+        p = ngx_palloc(sr->pool, NGX_OFF_T_LEN);
+        if (p == NULL) {
+            return NGX_ERROR;
+        }
+
+        clh->value.data = p;
+        clh->value.len = ngx_sprintf(clh->value.data, "%O", len)
+                         - clh->value.data;
+
+        sr->headers_in.content_length = clh;
+        sr->headers_in.content_length_n = len;
+
+        dd("sr crafted content-length: %.*s",
+           (int) sr->headers_in.content_length->value.len,
+           sr->headers_in.content_length->value.data);
+    }
+
+    /* copy the parent request's headers */
+
+    part = &pr->headers_in.headers.part;
+     header = part->elts;
+ 
+     for (i = 0; /* void */; i++) {
+@@ -1772,7 +1704,14 @@ ngx_http_lua_copy_request_headers(ngx_http_request_t *sr, ngx_http_request_t *r)
+             i = 0;
+         }
+ 
+-        dd("setting request header %.*s: %.*s", (int) header[i].key.len,
+        if (!prcl && header[i].key.len == sizeof("Content-Length") - 1
+            && ngx_strncasecmp(header[i].key.data, (u_char *) "Content-Length",
+                               sizeof("Content-Length") - 1) == 0)
+        {
+            continue;
+        }
+
+        dd("sr copied req header %.*s: %.*s", (int) header[i].key.len,
+            header[i].key.data, (int) header[i].value.len,
+            header[i].value.data);
+ 
+@@ -1784,9 +1723,10 @@ ngx_http_lua_copy_request_headers(ngx_http_request_t *sr, ngx_http_request_t *r)
+     }
+ 
+     dd("after: parent req headers count: %d",
+-       (int) r->headers_in.headers.part.nelts);
+       (int) pr->headers_in.headers.part.nelts);
+ 
+     return NGX_OK;
+ }
+ 
+
+ /* vi:set ft=c ts=4 sw=4 et fdm=marker: */
--- a/util/build-win32.sh
+++ b/util/build-win32.sh
@ -1,13 +1,13 @@
 #!/bin/bash

-PCRE=pcre-8.42
+PCRE=pcre-8.44
 ZLIB=zlib-1.2.11
-OPENSSL=openssl-1.1.0j
+OPENSSL=openssl-1.1.0l
 JOBS=12

-# wget https://www.openssl.org/source/openssl-1.1.0h.tar.gz
+# wget https://www.openssl.org/source/openssl-1.1.0l.tar.gz
 # wget http://zlib.net/zlib-1.2.11.tar.gz
-# wget ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/pcre-8.42.tar.gz
+# wget ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/pcre-8.44.tar.gz

 rm -rf objs || exit 1
 mkdir -p objs/lib || exit 1
--- a/util/mirror-tarballs
+++ b/util/mirror-tarballs
@ -73,6 +73,10 @@ if [ "$answer" = "Y" ]; then
    echo "$info_txt applying the daemon_destroy_pool patch for nginx"
    patch -p1 < $root/patches/nginx-$main_ver-daemon_destroy_pool.patch || exit 1
    echo
+
+    echo "$info_txt applying the init_cycle_pool_release patch for nginx"
+    patch -p1 < $root/patches/nginx-$main_ver-init_cycle_pool_release.patch || exit 1
+    echo
 fi

 answer=`$root/util/ver-ge "$main_ver" 1.5.12`
@ -398,43 +402,6 @@ if [ "$main_ver" = "1.9.7" ]; then
    echo
 fi

-if [ "$main_ver" = "1.13.6" ]; then
-    echo "$info_txt applying the init_cycle_pool_release patch for nginx"
-    patch -p1 < $root/patches/nginx-$main_ver-init_cycle_pool_release.patch || exit 1
-    echo
-fi
-
-answer=`$root/util/ver-ge "$main_ver" 1.9.5`
-if [ "$answer" = "Y" ]; then
-    answer=`$root/util/ver-ge "$main_ver" 1.14.1`
-    if [ "$answer" = "N" ]; then
-        echo "$info_txt applying the patch for nginx security advisory (CVE-2018-16843 CVE-2018-16844)"
-        patch -p0 < $root/patches/patch.2018.h2.txt || exit 1
-        echo
-    elif [ `$root/util/ver-ge "$main_ver" 1.15.0` = "Y" ]; then
-        answer=`$root/util/ver-ge "$main_ver" 1.15.6`
-        if [ "$answer" = "N" ]; then
-            echo "$info_txt applying the patch for nginx security advisory (CVE-2018-16843 CVE-2018-16844)"
-            patch -p0 < $root/patches/patch.2018.h2.txt || exit 1
-            echo
-        fi
-    fi
-fi
-
-answer=`$root/util/ver-ge "$main_ver" 1.14.1`
-if [ "$answer" = "N" ]; then
-    echo "$info_txt applying the patch for nginx security advisory (CVE-2018-16845)"
-    patch -p0 < $root/patches/patch.2018.mp4.txt || exit 1
-    echo
-else
-    answer=`$root/util/ver-ge "$main_ver" 1.15.6`
-    if [ "$answer" = "N" ]; then
-        echo "$info_txt applying the patch for nginx security advisory (CVE-2018-16845)"
-        patch -p0 < $root/patches/patch.2018.mp4.txt || exit 1
-        echo
-    fi
-fi
-
 answer=`$root/util/ver-ge "$main_ver" 1.9.5`
 if [ "$answer" = "Y" ]; then
    answer=`$root/util/ver-ge "$main_ver" 1.16.1`
@ -452,6 +419,13 @@ if [ "$answer" = "Y" ]; then
    fi
 fi

+answer=`$root/util/ver-ge "$main_ver" 1.17.7`
+if [ "$answer" = "N" ]; then
+    echo "$info_txt applying the safe_map_uri_to_path patch to nginx"
+    patch -p1 < $root/patches/nginx-$main_ver-safe_map_uri_to_path.patch || exit 1
+    echo
+fi
+
 rm -f *.patch || exit 1

 echo "$info_txt applying the always_enable_cc_feature_tests patch to nginx"
@ -507,9 +481,9 @@ mv openresty-xss-nginx-module-* xss-nginx-module-$ver || exit 1
 #################################

 ver=0.3.1rc1
-$root/util/get-tarball "https://github.com/simplresty/ngx_devel_kit/tarball/v$ver" -O ngx_devel_kit-$ver.tar.gz
+$root/util/get-tarball "https://github.com/vision5/ngx_devel_kit/tarball/v$ver" -O ngx_devel_kit-$ver.tar.gz
 tar -xzf ngx_devel_kit-$ver.tar.gz || exit 1
-mv simplresty-ngx_devel_kit-* ngx_devel_kit-$ver || exit 1
+mv vision5-ngx_devel_kit-* ngx_devel_kit-$ver || exit 1

 #################################

@ -553,6 +527,18 @@ $root/util/get-tarball "https://github.com/openresty/lua-nginx-module/archive/v$
 tar -xzf lua-nginx-module-$ver.tar.gz || exit 1
 mv lua-nginx-module-$ver ngx_lua-$ver || exit 1

+cd ngx_lua-$ver || exit 1
+
+echo "$info_txt applying ngx_http_lua-$ver-check-uri-and-headers-safety patch"
+patch -p1 < $root/patches/ngx_http_lua-$ver-check-uri-and-headers-safety.patch || exit 1
+echo
+
+echo "$info_txt applying ngx_http_lua-$ver-fix_location_capture_content_length_chunked patch"
+patch -p1 < $root/patches/ngx_http_lua-$ver-fix_location_capture_content_length_chunked.patch || exit 1
+echo
+
+cd .. || exit 1
+
 #################################

 ver=0.07
--- a/util/ver
+++ b/util/ver
@ -1,7 +1,7 @@
 #!/bin/bash

 main_ver=1.15.8
-minor_ver=2
+minor_ver=4
 version=$main_ver.$minor_ver
 echo $version
Author	SHA1	Message	Date
Thibault Charbonnier	99ec14bfb2	bugfix: updated the check-uri-and-headers-safety patch.	2020-03-31 12:33:20 -07:00
Thibault Charbonnier	3875872801	bumped version to 1.15.8.4.	2020-03-25 14:53:50 -07:00
Thibault Charbonnier	4e8b4c395f	bugfix: applied the fix_location_capture_content_length_chunked patch to ngx_http_lua v0.10.15.	2020-03-25 14:52:45 -07:00
Yichun Zhang (agentzh)	562d89c992	win32/win64: upgraded pcre to 8.44.	2020-03-20 12:39:00 -07:00
Yichun Zhang (agentzh)	9a9a7f4f15	win32/win64: upgraded openssl to 1.1.0l.	2020-03-20 12:36:30 -07:00
Thibault Charbonnier	a076e9bce9	bumped version to 1.15.8.3.	2020-03-20 12:14:22 -07:00
Thibault Charbonnier	7cdcb022dc	bugfix: applied the safe_map_uri_to_path patch to NGINX.	2020-03-20 12:14:22 -07:00
Thibault Charbonnier	d75894cc8c	bugfix: mirror-tarballs: applied the init_cycle_pool_release patch to NGINX cores >= 1.13.6 instead of 1.13.6 only.	2020-03-20 11:27:23 -07:00
Thibault Charbonnier	27ba2dde33	bugfix: applied the patch for security advisory to NGINX cores < 1.17.3 and < 1.16.1 (CVE-2019-9511 CVE-2019-9513 CVE-2019-9516).	2020-03-20 11:27:23 -07:00
Thibault Charbonnier	efd60c0a45	bugfix: applied the check-uri-and-headers-safety patch to ngx_http_lua v0.10.15.	2020-03-20 11:27:23 -07:00
Thibault Charbonnier	c262740bf7	bugfix: mirror-tarballs: updated ngx_devel_kit's GitHub owner org to vision5. The script started failing with: mv: cannot stat 'simplresty-ngx_devel_kit-*': No such file or directory Since the GitHub organization owning the ngx_devel_kit repository was updated to be 'vision5' instead of 'simplresty'.	2020-03-20 11:27:23 -07:00
Thibault Charbonnier	a220be6247	Revert "bugfix: applied the patch for security advisory to NGINX cores < 1.14.1 and < 1.15.6 (CVE-2019-9511 CVE-2019-9513 CVE-2019-9516)." This reverts commit `aa16a49e93`.	2020-03-20 11:26:42 -07:00