Mercurial > hg > nginx

comparison src/http/ngx_http_parse.c @ 9240:f3df785649ae

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Request body: limited chunk extensions and trailer headers. Previously, arbitrary amounts of chunk extensions and trailer headers were accepted and skipped. Despite being under limit_conn / limit_req limits (if configured), this can be a DoS vector, so it is now limited by the client_max_body_size limit. Reported by Bartek Nowotarski.
author Maxim Dounin <mdounin@mdounin.ru>
date Sat, 30 Mar 2024 05:09:35 +0300
parents dacad3a9c7b8
children ddcedfa3a809
comparison
equal deleted inserted replaced
9239:b2e16e8639c8 9240:f3df785649ae
2255 case CR: 2255 case CR:
2256 state = sw_chunk_extension_almost_done; 2256 state = sw_chunk_extension_almost_done;
2257 break; 2257 break;
2258 case LF: 2258 case LF:
2259 state = sw_chunk_data; 2259 state = sw_chunk_data;
2260 break;
2261 default:
2262 ctx->skipped++;
2260 } 2263 }
2261 break; 2264 break;
2262 2265
2263 case sw_chunk_extension_almost_done: 2266 case sw_chunk_extension_almost_done:
2264 if (ch == LF) { 2267 if (ch == LF) {
2296 case CR: 2299 case CR:
2297 state = sw_last_chunk_extension_almost_done; 2300 state = sw_last_chunk_extension_almost_done;
2298 break; 2301 break;
2299 case LF: 2302 case LF:
2300 state = sw_trailer; 2303 state = sw_trailer;
2304 break;
2305 default:
2306 ctx->skipped++;
2301 } 2307 }
2302 break; 2308 break;
2303 2309
2304 case sw_last_chunk_extension_almost_done: 2310 case sw_last_chunk_extension_almost_done:
2305 if (ch == LF) { 2311 if (ch == LF) {
2331 case CR: 2337 case CR:
2332 state = sw_trailer_header_almost_done; 2338 state = sw_trailer_header_almost_done;
2333 break; 2339 break;
2334 case LF: 2340 case LF:
2335 state = sw_trailer; 2341 state = sw_trailer;
2342 break;
2343 default:
2344 ctx->skipped++;
2336 } 2345 }
2337 break; 2346 break;
2338 2347
2339 case sw_trailer_header_almost_done: 2348 case sw_trailer_header_almost_done:
2340 if (ch == LF) { 2349 if (ch == LF) {