nginx: src/http/ngx_http_request.c comparison

comparison src/http/ngx_http_request.c @ 8420:2bf17a829ddc quic

Require ":authority" or "Host" in HTTP/3 and HTTP/2 requests. Also, if both are present, require that they have the same value. These requirements are specified in HTTP/3 draft 28. Current implementation of HTTP/2 treats ":authority" and "Host" interchangeably. New checks only make sure at least one of these values is present in the request. A similar check existed earlier and was limited only to HTTP/1.1 in 38c0898b6df7.

author	Roman Arutyunyan <arut@nginx.com>
date	Fri, 29 May 2020 12:42:23 +0300
parents	7995cd199b52
children	833898b35b24

comparison

equal deleted inserted replaced

-:cb149fa03367
+:2bf17a829ddc
 "client sent HTTP/1.1 request without \"Host\" header");
 ngx_http_finalize_request(r, NGX_HTTP_BAD_REQUEST);
 return NGX_ERROR;
 }
+if (r->http_version >= NGX_HTTP_VERSION_20) {
+if (r->headers_in.server.len == 0) {
+ngx_log_error(NGX_LOG_INFO, r->connection->log, 0,
+"client sent HTTP request without "
+"\":authority\" or \"Host\" header");
+ngx_http_finalize_request(r, NGX_HTTP_BAD_REQUEST);
+return NGX_ERROR;
+}
+if (r->headers_in.host) {
+if (r->headers_in.host->value.len != r->headers_in.server.len
+|| ngx_memcmp(r->headers_in.host->value.data,
+r->headers_in.server.data,
+r->headers_in.server.len)
+!= 0)
+{
+ngx_log_error(NGX_LOG_INFO, r->connection->log, 0,
+"client sent HTTP request with different "
+"values of \":authority\" and \"Host\" headers");
+ngx_http_finalize_request(r, NGX_HTTP_BAD_REQUEST);
+return NGX_ERROR;
+}
+}
+}
 if (r->headers_in.content_length) {
 r->headers_in.content_length_n =
 ngx_atoof(r->headers_in.content_length->value.data,
 r->headers_in.content_length->value.len);

Mercurial > hg > nginx

comparison src/http/ngx_http_request.c @ 8420:2bf17a829ddc quic