[PATCH] Add strict Host validation
Piotr Sikora
piotr at cloudflare.com
Thu Dec 18 02:48:37 UTC 2014
# HG changeset patch
# User Piotr Sikora <piotr at cloudflare.com>
# Date 1418870862 28800
# Wed Dec 17 18:47:42 2014 -0800
# Node ID ab0442e232ce098438943a77422d8a04cc5b6790
# Parent 99751fe3bc3b285801b434f7f707d87fa42b093e
Add strict Host validation.
According to RFC3986, Host is a sequence of printable ASCII characters,
with the exception of: space, ", #, /, <, >, ?, @, \, ^, `, {, | and }.
Signed-off-by: Piotr Sikora <piotr at cloudflare.com>
diff -r 99751fe3bc3b -r ab0442e232ce src/http/ngx_http_request.c
--- a/src/http/ngx_http_request.c Fri Dec 12 20:25:42 2014 +0300
+++ b/src/http/ngx_http_request.c Wed Dec 17 18:47:42 2014 -0800
@@ -1955,12 +1955,25 @@ ngx_http_validate_host(ngx_str_t *host,
}
break;
- case '\0':
+ case ' ':
+ case '"':
+ case '#':
+ case '/':
+ case '<':
+ case '>':
+ case '?':
+ case '@':
+ case '\\':
+ case '^':
+ case '`':
+ case '{':
+ case '|':
+ case '}':
return NGX_DECLINED;
default:
- if (ngx_path_separator(ch)) {
+ if (ch < 0x20 || ch > 0x7e) {
return NGX_DECLINED;
}
More information about the nginx-devel
mailing list