diff options
| author | Maxim Dounin <mdounin@mdounin.ru> | 2021-06-28 18:01:18 +0300 |
|---|---|---|
| committer | Maxim Dounin <mdounin@mdounin.ru> | 2021-06-28 18:01:18 +0300 |
| commit | 9ab4d368af63e9c4a0bebc0eda82d668adaa560a (patch) | |
| tree | a36daa678c6b51236368041c38c24dd8000eaccd /src | |
| parent | 0b66bd4be777a5b79c5ae0e7dff89fc6429da0fe (diff) | |
| download | nginx-9ab4d368af63e9c4a0bebc0eda82d668adaa560a.tar.gz nginx-9ab4d368af63e9c4a0bebc0eda82d668adaa560a.zip | |
Disabled control characters and space in header names.
Control characters (0x00-0x1f, 0x7f), space, and colon were never allowed in
header names. The only somewhat valid use is header continuation which nginx
never supported and which is explicitly obsolete by RFC 7230.
Previously, such headers were considered invalid and were ignored by default
(as per ignore_invalid_headers directive). With this change, such headers
are unconditionally rejected.
It is expected to make nginx more resilient to various attacks, in particular,
with ignore_invalid_headers switched off (which is inherently unsecure, though
nevertheless sometimes used in the wild).
Diffstat (limited to 'src')
| -rw-r--r-- | src/http/modules/ngx_http_grpc_module.c | 2 | ||||
| -rw-r--r-- | src/http/ngx_http_parse.c | 4 | ||||
| -rw-r--r-- | src/http/v2/ngx_http_v2.c | 2 |
3 files changed, 4 insertions, 4 deletions
diff --git a/src/http/modules/ngx_http_grpc_module.c b/src/http/modules/ngx_http_grpc_module.c index 654bd17b9..65bd1e6c3 100644 --- a/src/http/modules/ngx_http_grpc_module.c +++ b/src/http/modules/ngx_http_grpc_module.c @@ -3384,7 +3384,7 @@ ngx_http_grpc_validate_header_name(ngx_http_request_t *r, ngx_str_t *s) return NGX_ERROR; } - if (ch == '\0' || ch == CR || ch == LF) { + if (ch <= 0x20 || ch == 0x7f) { return NGX_ERROR; } } diff --git a/src/http/ngx_http_parse.c b/src/http/ngx_http_parse.c index 0d36a44e5..6af326dee 100644 --- a/src/http/ngx_http_parse.c +++ b/src/http/ngx_http_parse.c @@ -893,7 +893,7 @@ ngx_http_parse_header_line(ngx_http_request_t *r, ngx_buf_t *b, break; } - if (ch == '\0') { + if (ch <= 0x20 || ch == 0x7f || ch == ':') { return NGX_HTTP_PARSE_INVALID_HEADER; } @@ -961,7 +961,7 @@ ngx_http_parse_header_line(ngx_http_request_t *r, ngx_buf_t *b, break; } - if (ch == '\0') { + if (ch <= 0x20 || ch == 0x7f) { return NGX_HTTP_PARSE_INVALID_HEADER; } diff --git a/src/http/v2/ngx_http_v2.c b/src/http/v2/ngx_http_v2.c index 423667d47..3bef002bd 100644 --- a/src/http/v2/ngx_http_v2.c +++ b/src/http/v2/ngx_http_v2.c @@ -3457,7 +3457,7 @@ ngx_http_v2_validate_header(ngx_http_request_t *r, ngx_http_v2_header_t *header) continue; } - if (ch == '\0' || ch == LF || ch == CR || ch == ':' + if (ch <= 0x20 || ch == 0x7f || ch == ':' || (ch >= 'A' && ch <= 'Z')) { ngx_log_error(NGX_LOG_INFO, r->connection->log, 0, |