Mercurial > hg > nginx
comparison src/http/ngx_http_parse.c @ 7883:41f4bd4c51f1
Disabled control characters and space in header names.
Control characters (0x00-0x1f, 0x7f), space, and colon were never allowed in
header names. The only somewhat valid use is header continuation which nginx
never supported and which is explicitly obsolete by RFC 7230.
Previously, such headers were considered invalid and were ignored by default
(as per ignore_invalid_headers directive). With this change, such headers
are unconditionally rejected.
It is expected to make nginx more resilient to various attacks, in particular,
with ignore_invalid_headers switched off (which is inherently unsecure, though
nevertheless sometimes used in the wild).
| author | Maxim Dounin <mdounin@mdounin.ru> |
|---|---|
| date | Mon, 28 Jun 2021 18:01:18 +0300 |
| parents | b4073527be81 |
| children | b87b7092cedb |
comparison
equal
deleted
inserted
replaced
| 7882:b4073527be81 | 7883:41f4bd4c51f1 |
|---|---|
| 891 } | 891 } |
| 892 | 892 |
| 893 break; | 893 break; |
| 894 } | 894 } |
| 895 | 895 |
| 896 if (ch == '\0') { | 896 if (ch <= 0x20 || ch == 0x7f || ch == ':') { |
| 897 return NGX_HTTP_PARSE_INVALID_HEADER; | 897 return NGX_HTTP_PARSE_INVALID_HEADER; |
| 898 } | 898 } |
| 899 | 899 |
| 900 hash = 0; | 900 hash = 0; |
| 901 i = 0; | 901 i = 0; |
| 959 { | 959 { |
| 960 state = sw_ignore_line; | 960 state = sw_ignore_line; |
| 961 break; | 961 break; |
| 962 } | 962 } |
| 963 | 963 |
| 964 if (ch == '\0') { | 964 if (ch <= 0x20 || ch == 0x7f) { |
| 965 return NGX_HTTP_PARSE_INVALID_HEADER; | 965 return NGX_HTTP_PARSE_INVALID_HEADER; |
| 966 } | 966 } |
| 967 | 967 |
| 968 r->invalid_header = 1; | 968 r->invalid_header = 1; |
| 969 | 969 |