Mercurial > hg > nginx
diff src/http/ngx_http_request.c @ 9242:ddcedfa3a809
HTTP: just one empty line now accepted when parsing request line.
This ensures that multiple CRLFs cannot be used as a DoS vector, and also
in line with RFC 9112 ("SHOULD ignore at least one empty line"). Further,
bare CRs are no longer accepted.
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Sat, 30 Mar 2024 05:10:40 +0300 |
parents | 0de20f43db25 |
children | 55a5a40dccde |
line wrap: on
line diff
--- a/src/http/ngx_http_request.c +++ b/src/http/ngx_http_request.c @@ -1623,16 +1623,6 @@ ngx_http_alloc_large_header_buffer(ngx_h ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "http alloc large header buffer"); - if (request_line && r->state == 0) { - - /* the client fills up the buffer with "\r\n" */ - - r->header_in->pos = r->header_in->start; - r->header_in->last = r->header_in->start; - - return NGX_OK; - } - old = request_line ? r->request_start : r->header_name_start; cscf = ngx_http_get_module_srv_conf(r, ngx_http_core_module);