CVS commit: [pkgsrc-2019Q4] pkgsrc/www/nginx

["Benny Siegert" <bsiegert%netbsd.org@localhost>]

Module Name:    pkgsrc
Committed By:   bsiegert
Date:           Mon Jan 27 09:35:13 UTC 2020

Modified Files:
        pkgsrc/www/nginx [pkgsrc-2019Q4]: distinfo
Added Files:
        pkgsrc/www/nginx/patches [pkgsrc-2019Q4]:
            patch-src_http_ngx__http__special__response.c

Log Message:
Pullup ticket #6120 - requested by kim
www/nginx: security fix

Revisions pulled up:
- www/nginx/Makefile                                            1.87
- www/nginx/distinfo                                            1.71-1.72
- www/nginx/patches/patch-src_http_ngx__http__special__response.c 1.1-1.2

---
   Module Name:    pkgsrc
   Committed By:   kim
   Date:           Sun Jan 19 07:28:36 UTC 2020

   Modified Files:
           pkgsrc/www/nginx: Makefile distinfo
   Added Files:
           pkgsrc/www/nginx/patches: patch-src_http_ngx__http__special__response.c

   Log Message:
   Add patch from upstream to address CVE-2019-20372. Bump revision.

---
   Module Name:    pkgsrc
   Committed By:   kim
   Date:           Sun Jan 19 07:42:42 UTC 2020

   Modified Files:
           pkgsrc/www/nginx: distinfo
           pkgsrc/www/nginx/patches: patch-src_http_ngx__http__special__response.c

   Log Message:
   Mention CVE-2019-20372 in the patch file as well.


To generate a diff of this commit:
cvs rdiff -u -r1.70 -r1.70.6.1 pkgsrc/www/nginx/distinfo
cvs rdiff -u -r0 -r1.2.2.2 \
    pkgsrc/www/nginx/patches/patch-src_http_ngx__http__special__response.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/www/nginx/distinfo
diff -u pkgsrc/www/nginx/distinfo:1.70 pkgsrc/www/nginx/distinfo:1.70.6.1
--- pkgsrc/www/nginx/distinfo:1.70      Thu Aug 15 08:06:29 2019
+++ pkgsrc/www/nginx/distinfo   Mon Jan 27 09:35:13 2020
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.70 2019/08/15 08:06:29 adam Exp $
+$NetBSD: distinfo,v 1.70.6.1 2020/01/27 09:35:13 bsiegert Exp $
 
 SHA1 (array-var-nginx-module-0.05.tar.gz) = c69fac77814947009ab783a471783b3c95a63a26
 RMD160 (array-var-nginx-module-0.05.tar.gz) = 89bd4efc04864e3e90781588a337338951ec8733
@@ -53,3 +53,4 @@ SHA1 (patch-ab) = 7d126a4372aa8575ef01a4
 SHA1 (patch-auto_cc_conf) = 5e6a479ba419cd16dedeb3b4c47dc685d126ef6a
 SHA1 (patch-auto_lib_pcre_conf) = 8cf03fe38e7f75ef6892cc8b93be5cb18c381e97
 SHA1 (patch-src_event_modules_ngx__eventport__module.c) = c8e919f48d68bd5bffc4ad11d9c79dc6da3a0de2
+SHA1 (patch-src_http_ngx__http__special__response.c) = 7ac84762cc42932c43dc5191888fbe33c2125c3b

Added files:

Index: pkgsrc/www/nginx/patches/patch-src_http_ngx__http__special__response.c
diff -u /dev/null pkgsrc/www/nginx/patches/patch-src_http_ngx__http__special__response.c:1.2.2.2
--- /dev/null   Mon Jan 27 09:35:13 2020
+++ pkgsrc/www/nginx/patches/patch-src_http_ngx__http__special__response.c      Mon Jan 27 09:35:13 2020
@@ -0,0 +1,23 @@
+$NetBSD$
+
+Discard request body when redirecting to a URL via error_page.
+
+Fixes CVE-2019-20372.
+
+https://github.com/nginx/nginx/commit/c1be55f97211d38b69ac0c2027e6812ab8b1b94e.patch
+
+--- src/http/ngx_http_special_response.c
++++ src/http/ngx_http_special_response.c
+@@ -623,6 +623,12 @@ ngx_http_send_error_page(ngx_http_request_t *r, ngx_http_err_page_t *err_page)
+         return ngx_http_named_location(r, &uri);
+     }
+ 
++    r->expect_tested = 1;
++
++    if (ngx_http_discard_request_body(r) != NGX_OK) {
++        r->keepalive = 0;
++    }
++
+     location = ngx_list_push(&r->headers_out.headers);
+ 
+     if (location == NULL) {