Mercurial > hg > nginx
comparison src/http/ngx_http_request.c @ 7877:63c66b7cc07c
Added CONNECT method rejection.
No valid CONNECT requests are expected to appear within nginx, since it
is not a forward proxy. Further, request line parsing will reject
proper CONNECT requests anyway, since we don't allow authority-form of
request-target. On the other hand, RFC 7230 specifies separate message
length rules for CONNECT which we don't support, so make sure to always
reject CONNECTs to avoid potential abuse.
| author | Maxim Dounin <mdounin@mdounin.ru> |
|---|---|
| date | Mon, 28 Jun 2021 18:01:04 +0300 |
| parents | b290610bf812 |
| children | bea0f9e5c309 |
comparison
equal
deleted
inserted
replaced
| 7876:b290610bf812 | 7877:63c66b7cc07c |
|---|---|
| 2004 ngx_atotm(r->headers_in.keep_alive->value.data, | 2004 ngx_atotm(r->headers_in.keep_alive->value.data, |
| 2005 r->headers_in.keep_alive->value.len); | 2005 r->headers_in.keep_alive->value.len); |
| 2006 } | 2006 } |
| 2007 } | 2007 } |
| 2008 | 2008 |
| 2009 if (r->method == NGX_HTTP_CONNECT) { | |
| 2010 ngx_log_error(NGX_LOG_INFO, r->connection->log, 0, | |
| 2011 "client sent CONNECT method"); | |
| 2012 ngx_http_finalize_request(r, NGX_HTTP_NOT_ALLOWED); | |
| 2013 return NGX_ERROR; | |
| 2014 } | |
| 2015 | |
| 2009 if (r->method == NGX_HTTP_TRACE) { | 2016 if (r->method == NGX_HTTP_TRACE) { |
| 2010 ngx_log_error(NGX_LOG_INFO, r->connection->log, 0, | 2017 ngx_log_error(NGX_LOG_INFO, r->connection->log, 0, |
| 2011 "client sent TRACE method"); | 2018 "client sent TRACE method"); |
| 2012 ngx_http_finalize_request(r, NGX_HTTP_NOT_ALLOWED); | 2019 ngx_http_finalize_request(r, NGX_HTTP_NOT_ALLOWED); |
| 2013 return NGX_ERROR; | 2020 return NGX_ERROR; |