HTTP methods with '-' char

Maxim Dounin mdounin at mdounin.ru
Thu May 22 13:22:58 UTC 2014


Hello!

On Thu, May 22, 2014 at 02:29:23AM -0300, George Fleury wrote:

> Hi all, 
> 
> i'm porting apache https mod_cluster to NGINX, however the methods used for internal control mod_cluster 
> use the character '-' (ex: ENABLE-APP), and for NGINX these methods are invalid because of character '- ‘. 
> Now comes my doubts, gave a quick read in RFCs 2616 and 822 and found nothing saying that the '-' character 
> can not be used in token methods of http/1.1. Is that right or there is a reason?

As of now, nginx doesn't allow any characters other than uppercase 
latin letters and "_" in method names.  While this is stricter 
than what HTTP requires, though covers almost all known valid 
uses, thus limiting potential attack vectors.

See the thread here for previous discussion on this:

http://mailman.nginx.org/pipermail/nginx-devel/2013-July/003929.html

-- 
Maxim Dounin
http://nginx.org/



More information about the nginx-devel mailing list