Mercurial > hg > nginx

diff src/http/ngx_http_parse.c @ 7877:63c66b7cc07c

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Added CONNECT method rejection. No valid CONNECT requests are expected to appear within nginx, since it is not a forward proxy. Further, request line parsing will reject proper CONNECT requests anyway, since we don't allow authority-form of request-target. On the other hand, RFC 7230 specifies separate message length rules for CONNECT which we don't support, so make sure to always reject CONNECTs to avoid potential abuse.
author Maxim Dounin <mdounin@mdounin.ru>
date Mon, 28 Jun 2021 18:01:04 +0300
parents 8989fbd2f89a
children 52338ddf9e2f
line wrap: on
line diff
--- a/src/http/ngx_http_parse.c
+++ b/src/http/ngx_http_parse.c
@@ -246,6 +246,11 @@ ngx_http_parse_request_line(ngx_http_req
                         r->method = NGX_HTTP_OPTIONS;
                     }
 
+                    if (ngx_str7_cmp(m, 'C', 'O', 'N', 'N', 'E', 'C', 'T', ' '))
+                    {
+                        r->method = NGX_HTTP_CONNECT;
+                    }
+
                     break;
 
                 case 8: