Mercurial > hg > nginx

changeset 7885:e0fdd75871e4

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Disabled control characters in the Host header. Control characters (0x00-0x1f, 0x7f) and space are not expected to appear in the Host header. Requests with such characters in the Host header are now unconditionally rejected.
author Maxim Dounin <mdounin@mdounin.ru>
date Mon, 28 Jun 2021 18:01:24 +0300
parents b87b7092cedb
children 7f5e3595caff
files src/http/ngx_http_request.c
diffstat 1 files changed, 4 insertions(+), 3 deletions(-) [+]
line wrap: on
line diff
--- a/src/http/ngx_http_request.c
+++ b/src/http/ngx_http_request.c
@@ -2176,15 +2176,16 @@ ngx_http_validate_host(ngx_str_t *host, 
             }
             break;
 
-        case '\0':
-            return NGX_DECLINED;
-
         default:
 
             if (ngx_path_separator(ch)) {
                 return NGX_DECLINED;
             }
 
+            if (ch <= 0x20 || ch == 0x7f) {
+                return NGX_DECLINED;
+            }
+
             if (ch >= 'A' && ch <= 'Z') {
                 alloc = 1;
             }