[nginx] Added CONNECT method rejection.
Maxim Dounin
mdounin at mdounin.ru
Mon Jun 28 18:36:16 UTC 2021
details: https://hg.nginx.org/nginx/rev/63c66b7cc07c
branches:
changeset: 7877:63c66b7cc07c
user: Maxim Dounin <mdounin at mdounin.ru>
date: Mon Jun 28 18:01:04 2021 +0300
description:
Added CONNECT method rejection.
No valid CONNECT requests are expected to appear within nginx, since it
is not a forward proxy. Further, request line parsing will reject
proper CONNECT requests anyway, since we don't allow authority-form of
request-target. On the other hand, RFC 7230 specifies separate message
length rules for CONNECT which we don't support, so make sure to always
reject CONNECTs to avoid potential abuse.
diffstat:
src/http/ngx_http_parse.c | 5 +++++
src/http/ngx_http_request.c | 7 +++++++
src/http/ngx_http_request.h | 33 +++++++++++++++++----------------
src/http/v2/ngx_http_v2.c | 3 ++-
4 files changed, 31 insertions(+), 17 deletions(-)
diffs (88 lines):
diff -r b290610bf812 -r 63c66b7cc07c src/http/ngx_http_parse.c
--- a/src/http/ngx_http_parse.c Mon Jun 28 18:01:00 2021 +0300
+++ b/src/http/ngx_http_parse.c Mon Jun 28 18:01:04 2021 +0300
@@ -246,6 +246,11 @@ ngx_http_parse_request_line(ngx_http_req
r->method = NGX_HTTP_OPTIONS;
}
+ if (ngx_str7_cmp(m, 'C', 'O', 'N', 'N', 'E', 'C', 'T', ' '))
+ {
+ r->method = NGX_HTTP_CONNECT;
+ }
+
break;
case 8:
diff -r b290610bf812 -r 63c66b7cc07c src/http/ngx_http_request.c
--- a/src/http/ngx_http_request.c Mon Jun 28 18:01:00 2021 +0300
+++ b/src/http/ngx_http_request.c Mon Jun 28 18:01:04 2021 +0300
@@ -2006,6 +2006,13 @@ ngx_http_process_request_header(ngx_http
}
}
+ if (r->method == NGX_HTTP_CONNECT) {
+ ngx_log_error(NGX_LOG_INFO, r->connection->log, 0,
+ "client sent CONNECT method");
+ ngx_http_finalize_request(r, NGX_HTTP_NOT_ALLOWED);
+ return NGX_ERROR;
+ }
+
if (r->method == NGX_HTTP_TRACE) {
ngx_log_error(NGX_LOG_INFO, r->connection->log, 0,
"client sent TRACE method");
diff -r b290610bf812 -r 63c66b7cc07c src/http/ngx_http_request.h
--- a/src/http/ngx_http_request.h Mon Jun 28 18:01:00 2021 +0300
+++ b/src/http/ngx_http_request.h Mon Jun 28 18:01:04 2021 +0300
@@ -25,22 +25,23 @@
#define NGX_HTTP_VERSION_11 1001
#define NGX_HTTP_VERSION_20 2000
-#define NGX_HTTP_UNKNOWN 0x0001
-#define NGX_HTTP_GET 0x0002
-#define NGX_HTTP_HEAD 0x0004
-#define NGX_HTTP_POST 0x0008
-#define NGX_HTTP_PUT 0x0010
-#define NGX_HTTP_DELETE 0x0020
-#define NGX_HTTP_MKCOL 0x0040
-#define NGX_HTTP_COPY 0x0080
-#define NGX_HTTP_MOVE 0x0100
-#define NGX_HTTP_OPTIONS 0x0200
-#define NGX_HTTP_PROPFIND 0x0400
-#define NGX_HTTP_PROPPATCH 0x0800
-#define NGX_HTTP_LOCK 0x1000
-#define NGX_HTTP_UNLOCK 0x2000
-#define NGX_HTTP_PATCH 0x4000
-#define NGX_HTTP_TRACE 0x8000
+#define NGX_HTTP_UNKNOWN 0x00000001
+#define NGX_HTTP_GET 0x00000002
+#define NGX_HTTP_HEAD 0x00000004
+#define NGX_HTTP_POST 0x00000008
+#define NGX_HTTP_PUT 0x00000010
+#define NGX_HTTP_DELETE 0x00000020
+#define NGX_HTTP_MKCOL 0x00000040
+#define NGX_HTTP_COPY 0x00000080
+#define NGX_HTTP_MOVE 0x00000100
+#define NGX_HTTP_OPTIONS 0x00000200
+#define NGX_HTTP_PROPFIND 0x00000400
+#define NGX_HTTP_PROPPATCH 0x00000800
+#define NGX_HTTP_LOCK 0x00001000
+#define NGX_HTTP_UNLOCK 0x00002000
+#define NGX_HTTP_PATCH 0x00004000
+#define NGX_HTTP_TRACE 0x00008000
+#define NGX_HTTP_CONNECT 0x00010000
#define NGX_HTTP_CONNECTION_CLOSE 1
#define NGX_HTTP_CONNECTION_KEEP_ALIVE 2
diff -r b290610bf812 -r 63c66b7cc07c src/http/v2/ngx_http_v2.c
--- a/src/http/v2/ngx_http_v2.c Mon Jun 28 18:01:00 2021 +0300
+++ b/src/http/v2/ngx_http_v2.c Mon Jun 28 18:01:04 2021 +0300
@@ -3606,7 +3606,8 @@ ngx_http_v2_parse_method(ngx_http_reques
{ 4, "LOCK", NGX_HTTP_LOCK },
{ 6, "UNLOCK", NGX_HTTP_UNLOCK },
{ 5, "PATCH", NGX_HTTP_PATCH },
- { 5, "TRACE", NGX_HTTP_TRACE }
+ { 5, "TRACE", NGX_HTTP_TRACE },
+ { 7, "CONNECT", NGX_HTTP_CONNECT }
}, *test;
if (r->method_name.len) {
More information about the nginx-devel
mailing list