From: Maxim Dounin <mdounin@mdounin.ru>
Date: Mon, 28 Jun 2021 15:01:24 +0000 (+0300)
Subject: Disabled control characters in the Host header.
X-Git-Tag: release-1.21.1~3
X-Git-Url: http://www.kaiwu.me/postgresql/commit/static/gitweb.js?a=commitdiff_plain;h=07c63a42640e59bf5e3399cfdafd498b61671780;p=nginx.git

Disabled control characters in the Host header.

Control characters (0x00-0x1f, 0x7f) and space are not expected to appear
in the Host header.  Requests with such characters in the Host header are
now unconditionally rejected.
---

diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c
index 2e7c30fb6..2d1845d02 100644
--- a/src/http/ngx_http_request.c
+++ b/src/http/ngx_http_request.c
@@ -2176,15 +2176,16 @@ ngx_http_validate_host(ngx_str_t *host, ngx_pool_t *pool, ngx_uint_t alloc)
             }
             break;
 
-        case '\0':
-            return NGX_DECLINED;
-
         default:
 
             if (ngx_path_separator(ch)) {
                 return NGX_DECLINED;
             }
 
+            if (ch <= 0x20 || ch == 0x7f) {
+                return NGX_DECLINED;
+            }
+
             if (ch >= 'A' && ch <= 'Z') {
                 alloc = 1;
             }