Mercurial > hg > nginx
diff src/http/ngx_http_parse.c @ 9240:f3df785649ae
Request body: limited chunk extensions and trailer headers.
Previously, arbitrary amounts of chunk extensions and trailer headers were
accepted and skipped. Despite being under limit_conn / limit_req limits
(if configured), this can be a DoS vector, so it is now limited by the
client_max_body_size limit.
Reported by Bartek Nowotarski.
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Sat, 30 Mar 2024 05:09:35 +0300 |
parents | dacad3a9c7b8 |
children | ddcedfa3a809 |
line wrap: on
line diff
--- a/src/http/ngx_http_parse.c +++ b/src/http/ngx_http_parse.c @@ -2257,6 +2257,9 @@ ngx_http_parse_chunked(ngx_http_request_ break; case LF: state = sw_chunk_data; + break; + default: + ctx->skipped++; } break; @@ -2298,6 +2301,9 @@ ngx_http_parse_chunked(ngx_http_request_ break; case LF: state = sw_trailer; + break; + default: + ctx->skipped++; } break; @@ -2333,6 +2339,9 @@ ngx_http_parse_chunked(ngx_http_request_ break; case LF: state = sw_trailer; + break; + default: + ctx->skipped++; } break;