Mercurial > hg > nginx
comparison src/http/ngx_http_request.c @ 9242:ddcedfa3a809
HTTP: just one empty line now accepted when parsing request line.
This ensures that multiple CRLFs cannot be used as a DoS vector, and also
in line with RFC 9112 ("SHOULD ignore at least one empty line"). Further,
bare CRs are no longer accepted.
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Sat, 30 Mar 2024 05:10:40 +0300 |
parents | 0de20f43db25 |
children | 55a5a40dccde |
comparison
equal
deleted
inserted
replaced
9241:07ca679842de | 9242:ddcedfa3a809 |
---|---|
1620 ngx_http_connection_t *hc; | 1620 ngx_http_connection_t *hc; |
1621 ngx_http_core_srv_conf_t *cscf; | 1621 ngx_http_core_srv_conf_t *cscf; |
1622 | 1622 |
1623 ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, | 1623 ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, |
1624 "http alloc large header buffer"); | 1624 "http alloc large header buffer"); |
1625 | |
1626 if (request_line && r->state == 0) { | |
1627 | |
1628 /* the client fills up the buffer with "\r\n" */ | |
1629 | |
1630 r->header_in->pos = r->header_in->start; | |
1631 r->header_in->last = r->header_in->start; | |
1632 | |
1633 return NGX_OK; | |
1634 } | |
1635 | 1625 |
1636 old = request_line ? r->request_start : r->header_name_start; | 1626 old = request_line ? r->request_start : r->header_name_start; |
1637 | 1627 |
1638 cscf = ngx_http_get_module_srv_conf(r, ngx_http_core_module); | 1628 cscf = ngx_http_get_module_srv_conf(r, ngx_http_core_module); |
1639 | 1629 |