git.kaiwu.me - nginx.git/commit

author	Maxim Dounin <mdounin@mdounin.ru>
	Mon, 28 Jun 2021 15:01:18 +0000 (18:01 +0300)
committer	Maxim Dounin <mdounin@mdounin.ru>
	Mon, 28 Jun 2021 15:01:18 +0000 (18:01 +0300)
commit	9ab4d368af63e9c4a0bebc0eda82d668adaa560a
tree	a36daa678c6b51236368041c38c24dd8000eaccd	tree \| snapshot
parent	0b66bd4be777a5b79c5ae0e7dff89fc6429da0fe	commit \| diff

Disabled control characters and space in header names.

Control characters (0x00-0x1f, 0x7f), space, and colon were never allowed in
header names. The only somewhat valid use is header continuation which nginx
never supported and which is explicitly obsolete by RFC 7230.

Previously, such headers were considered invalid and were ignored by default
(as per ignore_invalid_headers directive). With this change, such headers
are unconditionally rejected.

It is expected to make nginx more resilient to various attacks, in particular,
with ignore_invalid_headers switched off (which is inherently unsecure, though
nevertheless sometimes used in the wild).

src/http/modules/ngx_http_grpc_module.c		diff \| blob \| history
src/http/ngx_http_parse.c		diff \| blob \| history
src/http/v2/ngx_http_v2.c		diff \| blob \| history