Mercurial > hg > nginx
comparison src/http/ngx_http_request_body.c @ 9240:f3df785649ae
Request body: limited chunk extensions and trailer headers.
Previously, arbitrary amounts of chunk extensions and trailer headers were
accepted and skipped. Despite being under limit_conn / limit_req limits
(if configured), this can be a DoS vector, so it is now limited by the
client_max_body_size limit.
Reported by Bartek Nowotarski.
| author | Maxim Dounin <mdounin@mdounin.ru> |
|---|---|
| date | Sat, 30 Mar 2024 05:09:35 +0300 |
| parents | b2e16e8639c8 |
| children | cb1e214efe41 |
comparison
equal
deleted
inserted
replaced
| 9239:b2e16e8639c8 | 9240:f3df785649ae |
|---|---|
| 1139 /* a chunk has been parsed successfully */ | 1139 /* a chunk has been parsed successfully */ |
| 1140 | 1140 |
| 1141 clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module); | 1141 clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module); |
| 1142 | 1142 |
| 1143 if (clcf->client_max_body_size | 1143 if (clcf->client_max_body_size |
| 1144 && clcf->client_max_body_size < rb->chunked->skipped) | |
| 1145 { | |
| 1146 ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, | |
| 1147 "client sent too many chunk extensions"); | |
| 1148 | |
| 1149 r->lingering_close = 1; | |
| 1150 | |
| 1151 return NGX_HTTP_REQUEST_ENTITY_TOO_LARGE; | |
| 1152 } | |
| 1153 | |
| 1154 if (clcf->client_max_body_size | |
| 1144 && clcf->client_max_body_size | 1155 && clcf->client_max_body_size |
| 1145 - r->headers_in.content_length_n < rb->chunked->size) | 1156 - r->headers_in.content_length_n < rb->chunked->size) |
| 1146 { | 1157 { |
| 1147 ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, | 1158 ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, |
| 1148 "client intended to send too large chunked " | 1159 "client intended to send too large chunked " |
| 1238 | 1249 |
| 1239 break; | 1250 break; |
| 1240 } | 1251 } |
| 1241 | 1252 |
| 1242 if (rc == NGX_AGAIN) { | 1253 if (rc == NGX_AGAIN) { |
| 1254 | |
| 1255 clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module); | |
| 1256 | |
| 1257 if (clcf->client_max_body_size | |
| 1258 && clcf->client_max_body_size < rb->chunked->skipped) | |
| 1259 { | |
| 1260 ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, | |
| 1261 "client sent too many chunk extensions " | |
| 1262 "or trailer headers"); | |
| 1263 | |
| 1264 r->lingering_close = 1; | |
| 1265 | |
| 1266 return NGX_HTTP_REQUEST_ENTITY_TOO_LARGE; | |
| 1267 } | |
| 1243 | 1268 |
| 1244 /* set rb->rest, amount of data we want to see next time */ | 1269 /* set rb->rest, amount of data we want to see next time */ |
| 1245 | 1270 |
| 1246 cscf = ngx_http_get_module_srv_conf(r, ngx_http_core_module); | 1271 cscf = ngx_http_get_module_srv_conf(r, ngx_http_core_module); |
| 1247 | 1272 |