Mercurial > hg > nginx
comparison src/http/ngx_http_request.c @ 7877:63c66b7cc07c
Added CONNECT method rejection.
No valid CONNECT requests are expected to appear within nginx, since it
is not a forward proxy. Further, request line parsing will reject
proper CONNECT requests anyway, since we don't allow authority-form of
request-target. On the other hand, RFC 7230 specifies separate message
length rules for CONNECT which we don't support, so make sure to always
reject CONNECTs to avoid potential abuse.
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Mon, 28 Jun 2021 18:01:04 +0300 |
parents | b290610bf812 |
children | bea0f9e5c309 |
comparison
equal
deleted
inserted
replaced
7876:b290610bf812 | 7877:63c66b7cc07c |
---|---|
2004 ngx_atotm(r->headers_in.keep_alive->value.data, | 2004 ngx_atotm(r->headers_in.keep_alive->value.data, |
2005 r->headers_in.keep_alive->value.len); | 2005 r->headers_in.keep_alive->value.len); |
2006 } | 2006 } |
2007 } | 2007 } |
2008 | 2008 |
2009 if (r->method == NGX_HTTP_CONNECT) { | |
2010 ngx_log_error(NGX_LOG_INFO, r->connection->log, 0, | |
2011 "client sent CONNECT method"); | |
2012 ngx_http_finalize_request(r, NGX_HTTP_NOT_ALLOWED); | |
2013 return NGX_ERROR; | |
2014 } | |
2015 | |
2009 if (r->method == NGX_HTTP_TRACE) { | 2016 if (r->method == NGX_HTTP_TRACE) { |
2010 ngx_log_error(NGX_LOG_INFO, r->connection->log, 0, | 2017 ngx_log_error(NGX_LOG_INFO, r->connection->log, 0, |
2011 "client sent TRACE method"); | 2018 "client sent TRACE method"); |
2012 ngx_http_finalize_request(r, NGX_HTTP_NOT_ALLOWED); | 2019 ngx_http_finalize_request(r, NGX_HTTP_NOT_ALLOWED); |
2013 return NGX_ERROR; | 2020 return NGX_ERROR; |