Mercurial > hg > nginx

diff src/http/ngx_http_parse.c @ 9240:f3df785649ae

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Request body: limited chunk extensions and trailer headers. Previously, arbitrary amounts of chunk extensions and trailer headers were accepted and skipped. Despite being under limit_conn / limit_req limits (if configured), this can be a DoS vector, so it is now limited by the client_max_body_size limit. Reported by Bartek Nowotarski.
author Maxim Dounin <mdounin@mdounin.ru>
date Sat, 30 Mar 2024 05:09:35 +0300
parents dacad3a9c7b8
children ddcedfa3a809
line wrap: on
line diff
--- a/src/http/ngx_http_parse.c
+++ b/src/http/ngx_http_parse.c
@@ -2257,6 +2257,9 @@ ngx_http_parse_chunked(ngx_http_request_
                 break;
             case LF:
                 state = sw_chunk_data;
+                break;
+            default:
+                ctx->skipped++;
             }
             break;
 
@@ -2298,6 +2301,9 @@ ngx_http_parse_chunked(ngx_http_request_
                 break;
             case LF:
                 state = sw_trailer;
+                break;
+            default:
+                ctx->skipped++;
             }
             break;
 
@@ -2333,6 +2339,9 @@ ngx_http_parse_chunked(ngx_http_request_
                 break;
             case LF:
                 state = sw_trailer;
+                break;
+            default:
+                ctx->skipped++;
             }
             break;