Request methods with hyphens

Maxim Dounin mdounin at mdounin.ru
Wed Jul 10 14:08:48 UTC 2013 

Hello!

On Wed, Jul 10, 2013 at 10:47:35PM +0900, Hiroaki Nakamura wrote:

> Hi all,
> 
> I found nginx rejects request methods with hyphens like
> VERSION-CONTROL with the status code 400.
> I got the following debug log:
> 
> 2013/07/10 13:55:29 [info] 79048#0: *4 client sent invalid method
> while reading client request line, client: 127.0.0.1, server:
> localhost, request: "VERSION-CONTROL / HTTP/1.1"
> 2013/07/10 13:55:29 [debug] 79048#0: *4 http finalize request: 400, "?" a:1, c:1

Is it a method used by some real-world software?

> I looked at the source code and found nginx will accept only 'A'-'Z'
> and '_' as request methods.
> http://trac.nginx.org/nginx/browser/nginx/src/http/ngx_http_parse.c?rev=626f288fa5ede7ee3cbeffe950cb9dd611e10c52#L270
> 
> RFC2616 says the method is case-sensitive and
> methods can have <any CHAR except CTLs or separators>
> 
> http://tools.ietf.org/html/rfc2616#section-5.1.1
> 
> 5.1.1 Method
> The Method  token indicates the method to be performed on the
>    resource identified by the Request-URI. The method is case-sensitive.
> 
>        Method         = "OPTIONS"                ; Section 9.2
>                       | "GET"                    ; Section 9.3
>                       | "HEAD"                   ; Section 9.4
>                       | "POST"                   ; Section 9.5
>                       | "PUT"                    ; Section 9.6
>                       | "DELETE"                 ; Section 9.7
>                       | "TRACE"                  ; Section 9.8
>                       | "CONNECT"                ; Section 9.9
>                       | extension-method
>        extension-method = token
> 
> 
> http://tools.ietf.org/html/rfc2616#section-2.2
> 
>        token          = 1*<any CHAR except CTLs or separators>
>        separators     = "(" | ")" | "<" | ">" | "@"
>                       | "," | ";" | ":" | "\" | <">
>                       | "/" | "[" | "]" | "?" | "="
>                       | "{" | "}" | SP | HT
> 
> 
> Also, when a server rejects a method, the status code should be 405 or 501.
> 
> http://tools.ietf.org/html/rfc2616#section-5.1.1
> 
>    An origin server SHOULD return the status code 405 (Method Not Allowed)
>    if the method is known by the origin server but not allowed for the
>    requested resource, and 501 (Not Implemented) if the method is
>    unrecognized or not implemented by the origin server.
> 
> I wonder how to improve nginx on accepting or rejecting request methods.
> Comments are welcome.

As of now nginx rejects anything which isn't uppercase latin 
letters (or underscore) as syntactically invalid (and hence 400).

I don't think that current behaviour should be changed unless 
there are good reasons to.  If there are good reasons, we probably 
should do something similar to underscores_in_headers, see 
http://nginx.org/r/underscores_in_headers.

-- 
Maxim Dounin
http://nginx.org/en/donation.html

More information about the nginx-devel mailing list