[nginx] Added CONNECT method rejection.

Maxim Dounin mdounin at mdounin.ru
Mon Jun 28 18:36:16 UTC 2021


details:   https://hg.nginx.org/nginx/rev/63c66b7cc07c
branches:  
changeset: 7877:63c66b7cc07c
user:      Maxim Dounin <mdounin at mdounin.ru>
date:      Mon Jun 28 18:01:04 2021 +0300
description:
Added CONNECT method rejection.

No valid CONNECT requests are expected to appear within nginx, since it
is not a forward proxy.  Further, request line parsing will reject
proper CONNECT requests anyway, since we don't allow authority-form of
request-target.  On the other hand, RFC 7230 specifies separate message
length rules for CONNECT which we don't support, so make sure to always
reject CONNECTs to avoid potential abuse.

diffstat:

 src/http/ngx_http_parse.c   |   5 +++++
 src/http/ngx_http_request.c |   7 +++++++
 src/http/ngx_http_request.h |  33 +++++++++++++++++----------------
 src/http/v2/ngx_http_v2.c   |   3 ++-
 4 files changed, 31 insertions(+), 17 deletions(-)

diffs (88 lines):

diff -r b290610bf812 -r 63c66b7cc07c src/http/ngx_http_parse.c
--- a/src/http/ngx_http_parse.c	Mon Jun 28 18:01:00 2021 +0300
+++ b/src/http/ngx_http_parse.c	Mon Jun 28 18:01:04 2021 +0300
@@ -246,6 +246,11 @@ ngx_http_parse_request_line(ngx_http_req
                         r->method = NGX_HTTP_OPTIONS;
                     }
 
+                    if (ngx_str7_cmp(m, 'C', 'O', 'N', 'N', 'E', 'C', 'T', ' '))
+                    {
+                        r->method = NGX_HTTP_CONNECT;
+                    }
+
                     break;
 
                 case 8:
diff -r b290610bf812 -r 63c66b7cc07c src/http/ngx_http_request.c
--- a/src/http/ngx_http_request.c	Mon Jun 28 18:01:00 2021 +0300
+++ b/src/http/ngx_http_request.c	Mon Jun 28 18:01:04 2021 +0300
@@ -2006,6 +2006,13 @@ ngx_http_process_request_header(ngx_http
         }
     }
 
+    if (r->method == NGX_HTTP_CONNECT) {
+        ngx_log_error(NGX_LOG_INFO, r->connection->log, 0,
+                      "client sent CONNECT method");
+        ngx_http_finalize_request(r, NGX_HTTP_NOT_ALLOWED);
+        return NGX_ERROR;
+    }
+
     if (r->method == NGX_HTTP_TRACE) {
         ngx_log_error(NGX_LOG_INFO, r->connection->log, 0,
                       "client sent TRACE method");
diff -r b290610bf812 -r 63c66b7cc07c src/http/ngx_http_request.h
--- a/src/http/ngx_http_request.h	Mon Jun 28 18:01:00 2021 +0300
+++ b/src/http/ngx_http_request.h	Mon Jun 28 18:01:04 2021 +0300
@@ -25,22 +25,23 @@
 #define NGX_HTTP_VERSION_11                1001
 #define NGX_HTTP_VERSION_20                2000
 
-#define NGX_HTTP_UNKNOWN                   0x0001
-#define NGX_HTTP_GET                       0x0002
-#define NGX_HTTP_HEAD                      0x0004
-#define NGX_HTTP_POST                      0x0008
-#define NGX_HTTP_PUT                       0x0010
-#define NGX_HTTP_DELETE                    0x0020
-#define NGX_HTTP_MKCOL                     0x0040
-#define NGX_HTTP_COPY                      0x0080
-#define NGX_HTTP_MOVE                      0x0100
-#define NGX_HTTP_OPTIONS                   0x0200
-#define NGX_HTTP_PROPFIND                  0x0400
-#define NGX_HTTP_PROPPATCH                 0x0800
-#define NGX_HTTP_LOCK                      0x1000
-#define NGX_HTTP_UNLOCK                    0x2000
-#define NGX_HTTP_PATCH                     0x4000
-#define NGX_HTTP_TRACE                     0x8000
+#define NGX_HTTP_UNKNOWN                   0x00000001
+#define NGX_HTTP_GET                       0x00000002
+#define NGX_HTTP_HEAD                      0x00000004
+#define NGX_HTTP_POST                      0x00000008
+#define NGX_HTTP_PUT                       0x00000010
+#define NGX_HTTP_DELETE                    0x00000020
+#define NGX_HTTP_MKCOL                     0x00000040
+#define NGX_HTTP_COPY                      0x00000080
+#define NGX_HTTP_MOVE                      0x00000100
+#define NGX_HTTP_OPTIONS                   0x00000200
+#define NGX_HTTP_PROPFIND                  0x00000400
+#define NGX_HTTP_PROPPATCH                 0x00000800
+#define NGX_HTTP_LOCK                      0x00001000
+#define NGX_HTTP_UNLOCK                    0x00002000
+#define NGX_HTTP_PATCH                     0x00004000
+#define NGX_HTTP_TRACE                     0x00008000
+#define NGX_HTTP_CONNECT                   0x00010000
 
 #define NGX_HTTP_CONNECTION_CLOSE          1
 #define NGX_HTTP_CONNECTION_KEEP_ALIVE     2
diff -r b290610bf812 -r 63c66b7cc07c src/http/v2/ngx_http_v2.c
--- a/src/http/v2/ngx_http_v2.c	Mon Jun 28 18:01:00 2021 +0300
+++ b/src/http/v2/ngx_http_v2.c	Mon Jun 28 18:01:04 2021 +0300
@@ -3606,7 +3606,8 @@ ngx_http_v2_parse_method(ngx_http_reques
         { 4, "LOCK",      NGX_HTTP_LOCK },
         { 6, "UNLOCK",    NGX_HTTP_UNLOCK },
         { 5, "PATCH",     NGX_HTTP_PATCH },
-        { 5, "TRACE",     NGX_HTTP_TRACE }
+        { 5, "TRACE",     NGX_HTTP_TRACE },
+        { 7, "CONNECT",   NGX_HTTP_CONNECT }
     }, *test;
 
     if (r->method_name.len) {


More information about the nginx-devel mailing list