# HG changeset patch # User Valentin Bartenev # Date 1460636055 -10800 # Node ID 0aa07850922fe1422b39261825f4a2a6eeaaf31e # Parent 80ba811112ed495703e300985c53c0a52cf0284c HTTP/2: refuse streams with data until SETTINGS is acknowledged. A client is allowed to send requests before receiving and acknowledging the SETTINGS frame. Such a client having a wrong idea about the stream's could send the request body that nginx isn't ready to process. The previous behavior was to send RST_STREAM with FLOW_CONTROL_ERROR in such case, but it didn't allow retrying requests that have been rejected. diff --git a/src/http/v2/ngx_http_v2.c b/src/http/v2/ngx_http_v2.c --- a/src/http/v2/ngx_http_v2.c +++ b/src/http/v2/ngx_http_v2.c @@ -1058,6 +1058,12 @@ ngx_http_v2_state_headers(ngx_http_v2_co goto rst_stream; } + if (!h2c->settings_ack && !(h2c->state.flags & NGX_HTTP_V2_END_STREAM_FLAG)) + { + status = NGX_HTTP_V2_REFUSED_STREAM; + goto rst_stream; + } + node = ngx_http_v2_get_node_by_id(h2c, h2c->state.sid, 1); if (node == NULL) { @@ -1878,7 +1884,7 @@ ngx_http_v2_state_settings(ngx_http_v2_c return ngx_http_v2_connection_error(h2c, NGX_HTTP_V2_SIZE_ERROR); } - /* TODO settings acknowledged */ + h2c->settings_ack = 1; return ngx_http_v2_state_complete(h2c, pos, end); } diff --git a/src/http/v2/ngx_http_v2.h b/src/http/v2/ngx_http_v2.h --- a/src/http/v2/ngx_http_v2.h +++ b/src/http/v2/ngx_http_v2.h @@ -141,6 +141,7 @@ struct ngx_http_v2_connection_s { ngx_uint_t last_sid; unsigned closed_nodes:8; + unsigned settings_ack:1; unsigned blocked:1; };