[nginx] Disabled requests with both Content-Length and Transfer-Encoding.
Maxim Dounin
mdounin at mdounin.ru
Mon Jun 28 18:36:19 UTC 2021
details: https://hg.nginx.org/nginx/rev/bea0f9e5c309
branches:
changeset: 7878:bea0f9e5c309
user: Maxim Dounin <mdounin at mdounin.ru>
date: Mon Jun 28 18:01:06 2021 +0300
description:
Disabled requests with both Content-Length and Transfer-Encoding.
HTTP clients are not allowed to generate such requests since Transfer-Encoding
introduction in RFC 2068, and they are not expected to appear in practice
except in attempts to perform a request smuggling attack. While handling of
such requests is strictly defined, the most secure approach seems to reject
them.
diffstat:
src/http/ngx_http_request.c | 11 +++++++++--
1 files changed, 9 insertions(+), 2 deletions(-)
diffs (21 lines):
diff -r 63c66b7cc07c -r bea0f9e5c309 src/http/ngx_http_request.c
--- a/src/http/ngx_http_request.c Mon Jun 28 18:01:04 2021 +0300
+++ b/src/http/ngx_http_request.c Mon Jun 28 18:01:06 2021 +0300
@@ -1985,8 +1985,15 @@ ngx_http_process_request_header(ngx_http
&& ngx_strncasecmp(r->headers_in.transfer_encoding->value.data,
(u_char *) "chunked", 7) == 0)
{
- r->headers_in.content_length = NULL;
- r->headers_in.content_length_n = -1;
+ if (r->headers_in.content_length) {
+ ngx_log_error(NGX_LOG_INFO, r->connection->log, 0,
+ "client sent \"Content-Length\" and "
+ "\"Transfer-Encoding\" headers "
+ "at the same time");
+ ngx_http_finalize_request(r, NGX_HTTP_BAD_REQUEST);
+ return NGX_ERROR;
+ }
+
r->headers_in.chunked = 1;
} else {
More information about the nginx-devel
mailing list