From 5f85bb3714a81d158f4d849ad5c61aec2737a9f0 Mon Sep 17 00:00:00 2001 From: Maxim Dounin Date: Mon, 28 Jun 2021 18:01:04 +0300 Subject: Added CONNECT method rejection. No valid CONNECT requests are expected to appear within nginx, since it is not a forward proxy. Further, request line parsing will reject proper CONNECT requests anyway, since we don't allow authority-form of request-target. On the other hand, RFC 7230 specifies separate message length rules for CONNECT which we don't support, so make sure to always reject CONNECTs to avoid potential abuse. --- src/http/ngx_http_request.c | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'src/http/ngx_http_request.c') diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c index b908e2941..5b2613870 100644 --- a/src/http/ngx_http_request.c +++ b/src/http/ngx_http_request.c @@ -2006,6 +2006,13 @@ ngx_http_process_request_header(ngx_http_request_t *r) } } + if (r->method == NGX_HTTP_CONNECT) { + ngx_log_error(NGX_LOG_INFO, r->connection->log, 0, + "client sent CONNECT method"); + ngx_http_finalize_request(r, NGX_HTTP_NOT_ALLOWED); + return NGX_ERROR; + } + if (r->method == NGX_HTTP_TRACE) { ngx_log_error(NGX_LOG_INFO, r->connection->log, 0, "client sent TRACE method"); -- cgit v1.2.3