[PATCH 4 of 4] HTTP/2: reject HTTP/2 requests with connection-specific headers
Piotr Sikora
piotrsikora at google.com
Tue Jun 13 12:19:48 UTC 2017
# HG changeset patch
# User Piotr Sikora <piotrsikora at google.com>
# Date 1490516709 25200
# Sun Mar 26 01:25:09 2017 -0700
# Node ID e2abc3bc3fc12b788d2631d3c47215acdc4ebbe6
# Parent 6263d68cb96042d8f8974a4a3945226227ce13b9
HTTP/2: reject HTTP/2 requests with connection-specific headers.
Signed-off-by: Piotr Sikora <piotrsikora at google.com>
diff -r 6263d68cb960 -r e2abc3bc3fc1 src/http/ngx_http_request.c
--- a/src/http/ngx_http_request.c
+++ b/src/http/ngx_http_request.c
@@ -19,6 +19,8 @@ static ngx_int_t ngx_http_alloc_large_he
static ngx_int_t ngx_http_process_header_line(ngx_http_request_t *r,
ngx_table_elt_t *h, ngx_uint_t offset);
+static ngx_int_t ngx_http_process_http1_header_line(ngx_http_request_t *r,
+ ngx_table_elt_t *h, ngx_uint_t offset);
static ngx_int_t ngx_http_process_unique_header_line(ngx_http_request_t *r,
ngx_table_elt_t *h, ngx_uint_t offset);
static ngx_int_t ngx_http_process_multi_header_lines(ngx_http_request_t *r,
@@ -146,7 +148,7 @@ ngx_http_header_t ngx_http_headers_in[]
{ ngx_string("Upgrade"),
offsetof(ngx_http_headers_in_t, upgrade),
- ngx_http_process_header_line },
+ ngx_http_process_http1_header_line },
#if (NGX_HTTP_GZIP)
{ ngx_string("Accept-Encoding"),
@@ -161,8 +163,13 @@ ngx_http_header_t ngx_http_headers_in[]
offsetof(ngx_http_headers_in_t, authorization),
ngx_http_process_unique_header_line },
- { ngx_string("Keep-Alive"), offsetof(ngx_http_headers_in_t, keep_alive),
- ngx_http_process_header_line },
+ { ngx_string("Keep-Alive"),
+ offsetof(ngx_http_headers_in_t, keep_alive),
+ ngx_http_process_http1_header_line },
+
+ { ngx_string("Proxy-Connection"),
+ offsetof(ngx_http_headers_in_t, proxy_connection),
+ ngx_http_process_http1_header_line },
#if (NGX_HTTP_X_FORWARDED_FOR)
{ ngx_string("X-Forwarded-For"),
@@ -1618,6 +1625,35 @@ ngx_http_process_header_line(ngx_http_re
static ngx_int_t
+ngx_http_process_http1_header_line(ngx_http_request_t *r, ngx_table_elt_t *h,
+ ngx_uint_t offset)
+{
+ ngx_table_elt_t **ph;
+
+ ph = (ngx_table_elt_t **) ((char *) &r->headers_in + offset);
+
+ if (*ph == NULL) {
+ *ph = h;
+ }
+
+#if (NGX_HTTP_V2)
+
+ if (r->stream) {
+ ngx_log_error(NGX_LOG_INFO, r->connection->log, 0,
+ "client sent HTTP/2 request with \"%V\" header",
+ &h->key);
+
+ ngx_http_finalize_request(r, NGX_HTTP_BAD_REQUEST);
+ return NGX_ERROR;
+ }
+
+#endif
+
+ return NGX_OK;
+}
+
+
+static ngx_int_t
ngx_http_process_unique_header_line(ngx_http_request_t *r, ngx_table_elt_t *h,
ngx_uint_t offset)
{
diff -r 6263d68cb960 -r e2abc3bc3fc1 src/http/ngx_http_request.h
--- a/src/http/ngx_http_request.h
+++ b/src/http/ngx_http_request.h
@@ -209,6 +209,7 @@ typedef struct {
ngx_table_elt_t *authorization;
ngx_table_elt_t *keep_alive;
+ ngx_table_elt_t *proxy_connection;
#if (NGX_HTTP_X_FORWARDED_FOR)
ngx_array_t x_forwarded_for;
More information about the nginx-devel
mailing list