Mercurial > hg > nginx
comparison src/http/ngx_http_request_body.c @ 9240:f3df785649ae
Request body: limited chunk extensions and trailer headers.
Previously, arbitrary amounts of chunk extensions and trailer headers were
accepted and skipped. Despite being under limit_conn / limit_req limits
(if configured), this can be a DoS vector, so it is now limited by the
client_max_body_size limit.
Reported by Bartek Nowotarski.
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Sat, 30 Mar 2024 05:09:35 +0300 |
parents | b2e16e8639c8 |
children | cb1e214efe41 |
comparison
equal
deleted
inserted
replaced
9239:b2e16e8639c8 | 9240:f3df785649ae |
---|---|
1139 /* a chunk has been parsed successfully */ | 1139 /* a chunk has been parsed successfully */ |
1140 | 1140 |
1141 clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module); | 1141 clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module); |
1142 | 1142 |
1143 if (clcf->client_max_body_size | 1143 if (clcf->client_max_body_size |
1144 && clcf->client_max_body_size < rb->chunked->skipped) | |
1145 { | |
1146 ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, | |
1147 "client sent too many chunk extensions"); | |
1148 | |
1149 r->lingering_close = 1; | |
1150 | |
1151 return NGX_HTTP_REQUEST_ENTITY_TOO_LARGE; | |
1152 } | |
1153 | |
1154 if (clcf->client_max_body_size | |
1144 && clcf->client_max_body_size | 1155 && clcf->client_max_body_size |
1145 - r->headers_in.content_length_n < rb->chunked->size) | 1156 - r->headers_in.content_length_n < rb->chunked->size) |
1146 { | 1157 { |
1147 ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, | 1158 ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, |
1148 "client intended to send too large chunked " | 1159 "client intended to send too large chunked " |
1238 | 1249 |
1239 break; | 1250 break; |
1240 } | 1251 } |
1241 | 1252 |
1242 if (rc == NGX_AGAIN) { | 1253 if (rc == NGX_AGAIN) { |
1254 | |
1255 clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module); | |
1256 | |
1257 if (clcf->client_max_body_size | |
1258 && clcf->client_max_body_size < rb->chunked->skipped) | |
1259 { | |
1260 ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, | |
1261 "client sent too many chunk extensions " | |
1262 "or trailer headers"); | |
1263 | |
1264 r->lingering_close = 1; | |
1265 | |
1266 return NGX_HTTP_REQUEST_ENTITY_TOO_LARGE; | |
1267 } | |
1243 | 1268 |
1244 /* set rb->rest, amount of data we want to see next time */ | 1269 /* set rb->rest, amount of data we want to see next time */ |
1245 | 1270 |
1246 cscf = ngx_http_get_module_srv_conf(r, ngx_http_core_module); | 1271 cscf = ngx_http_get_module_srv_conf(r, ngx_http_core_module); |
1247 | 1272 |