[nginx] Disabled control characters in the Host header.
Maxim Dounin
mdounin at mdounin.ru
Mon Jun 28 18:36:41 UTC 2021
details: https://hg.nginx.org/nginx/rev/e0fdd75871e4
branches:
changeset: 7885:e0fdd75871e4
user: Maxim Dounin <mdounin at mdounin.ru>
date: Mon Jun 28 18:01:24 2021 +0300
description:
Disabled control characters in the Host header.
Control characters (0x00-0x1f, 0x7f) and space are not expected to appear
in the Host header. Requests with such characters in the Host header are
now unconditionally rejected.
diffstat:
src/http/ngx_http_request.c | 7 ++++---
1 files changed, 4 insertions(+), 3 deletions(-)
diffs (23 lines):
diff -r b87b7092cedb -r e0fdd75871e4 src/http/ngx_http_request.c
--- a/src/http/ngx_http_request.c Mon Jun 28 18:01:20 2021 +0300
+++ b/src/http/ngx_http_request.c Mon Jun 28 18:01:24 2021 +0300
@@ -2176,15 +2176,16 @@ ngx_http_validate_host(ngx_str_t *host,
}
break;
- case '\0':
- return NGX_DECLINED;
-
default:
if (ngx_path_separator(ch)) {
return NGX_DECLINED;
}
+ if (ch <= 0x20 || ch == 0x7f) {
+ return NGX_DECLINED;
+ }
+
if (ch >= 'A' && ch <= 'Z') {
alloc = 1;
}
More information about the nginx-devel
mailing list