Mercurial > hg > nginx
comparison src/http/ngx_http_request.c @ 9242:ddcedfa3a809
HTTP: just one empty line now accepted when parsing request line.
This ensures that multiple CRLFs cannot be used as a DoS vector, and also
in line with RFC 9112 ("SHOULD ignore at least one empty line"). Further,
bare CRs are no longer accepted.
| author | Maxim Dounin <mdounin@mdounin.ru> |
|---|---|
| date | Sat, 30 Mar 2024 05:10:40 +0300 |
| parents | 0de20f43db25 |
| children | 55a5a40dccde |
comparison
equal
deleted
inserted
replaced
| 9241:07ca679842de | 9242:ddcedfa3a809 |
|---|---|
| 1620 ngx_http_connection_t *hc; | 1620 ngx_http_connection_t *hc; |
| 1621 ngx_http_core_srv_conf_t *cscf; | 1621 ngx_http_core_srv_conf_t *cscf; |
| 1622 | 1622 |
| 1623 ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, | 1623 ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, |
| 1624 "http alloc large header buffer"); | 1624 "http alloc large header buffer"); |
| 1625 | |
| 1626 if (request_line && r->state == 0) { | |
| 1627 | |
| 1628 /* the client fills up the buffer with "\r\n" */ | |
| 1629 | |
| 1630 r->header_in->pos = r->header_in->start; | |
| 1631 r->header_in->last = r->header_in->start; | |
| 1632 | |
| 1633 return NGX_OK; | |
| 1634 } | |
| 1635 | 1625 |
| 1636 old = request_line ? r->request_start : r->header_name_start; | 1626 old = request_line ? r->request_start : r->header_name_start; |
| 1637 | 1627 |
| 1638 cscf = ngx_http_get_module_srv_conf(r, ngx_http_core_module); | 1628 cscf = ngx_http_get_module_srv_conf(r, ngx_http_core_module); |
| 1639 | 1629 |