# HG changeset patch # User Maxim Dounin # Date 1624892478 -10800 # Node ID 41f4bd4c51f132204aaabf8d6ffd6bc2f1a6e1ad # Parent b4073527be81afb49dac00f15a93b8871b4869b8 Disabled control characters and space in header names. Control characters (0x00-0x1f, 0x7f), space, and colon were never allowed in header names. The only somewhat valid use is header continuation which nginx never supported and which is explicitly obsolete by RFC 7230. Previously, such headers were considered invalid and were ignored by default (as per ignore_invalid_headers directive). With this change, such headers are unconditionally rejected. It is expected to make nginx more resilient to various attacks, in particular, with ignore_invalid_headers switched off (which is inherently unsecure, though nevertheless sometimes used in the wild). diff --git a/src/http/modules/ngx_http_grpc_module.c b/src/http/modules/ngx_http_grpc_module.c --- a/src/http/modules/ngx_http_grpc_module.c +++ b/src/http/modules/ngx_http_grpc_module.c @@ -3384,7 +3384,7 @@ ngx_http_grpc_validate_header_name(ngx_h return NGX_ERROR; } - if (ch == '\0' || ch == CR || ch == LF) { + if (ch <= 0x20 || ch == 0x7f) { return NGX_ERROR; } } diff --git a/src/http/ngx_http_parse.c b/src/http/ngx_http_parse.c --- a/src/http/ngx_http_parse.c +++ b/src/http/ngx_http_parse.c @@ -893,7 +893,7 @@ ngx_http_parse_header_line(ngx_http_requ break; } - if (ch == '\0') { + if (ch <= 0x20 || ch == 0x7f || ch == ':') { return NGX_HTTP_PARSE_INVALID_HEADER; } @@ -961,7 +961,7 @@ ngx_http_parse_header_line(ngx_http_requ break; } - if (ch == '\0') { + if (ch <= 0x20 || ch == 0x7f) { return NGX_HTTP_PARSE_INVALID_HEADER; } diff --git a/src/http/v2/ngx_http_v2.c b/src/http/v2/ngx_http_v2.c --- a/src/http/v2/ngx_http_v2.c +++ b/src/http/v2/ngx_http_v2.c @@ -3457,7 +3457,7 @@ ngx_http_v2_validate_header(ngx_http_req continue; } - if (ch == '\0' || ch == LF || ch == CR || ch == ':' + if (ch <= 0x20 || ch == 0x7f || ch == ':' || (ch >= 'A' && ch <= 'Z')) { ngx_log_error(NGX_LOG_INFO, r->connection->log, 0,