Require ":authority" or "Host" in HTTP/3 and HTTP/2 requests.

Also, if both are present, require that they have the same value.  These
requirements are specified in HTTP/3 draft 28.

Current implementation of HTTP/2 treats ":authority" and "Host"
interchangeably.  New checks only make sure at least one of these values is
present in the request.  A similar check existed earlier and was limited only
to HTTP/1.1 in 38c0898b6df7.

1 files changed, 25 insertions, 0 deletions

diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c
index 3e6fce676..23b28c243 100644
--- a/src/http/ngx_http_request.c
+++ b/src/http/ngx_http_request.c
@@ -2065,6 +2065,31 @@ ngx_http_process_request_header(ngx_http_request_t *r)
         return NGX_ERROR;
     }
 
+    if (r->http_version >= NGX_HTTP_VERSION_20) {
+        if (r->headers_in.server.len == 0) {
+            ngx_log_error(NGX_LOG_INFO, r->connection->log, 0,
+                          "client sent HTTP request without "
+                          "\":authority\" or \"Host\" header");
+            ngx_http_finalize_request(r, NGX_HTTP_BAD_REQUEST);
+            return NGX_ERROR;
+        }
+
+        if (r->headers_in.host) {
+            if (r->headers_in.host->value.len != r->headers_in.server.len
+                || ngx_memcmp(r->headers_in.host->value.data,
+                              r->headers_in.server.data,
+                              r->headers_in.server.len)
+                   != 0)
+            {
+                ngx_log_error(NGX_LOG_INFO, r->connection->log, 0,
+                              "client sent HTTP request with different "
+                              "values of \":authority\" and \"Host\" headers");
+                ngx_http_finalize_request(r, NGX_HTTP_BAD_REQUEST);
+                return NGX_ERROR;
+            }
+        }
+    }
+
     if (r->headers_in.content_length) {
         r->headers_in.content_length_n =
                             ngx_atoof(r->headers_in.content_length->value.data,