[patch] reject http header without colon (:) in the header name
Maksim Yevmenkin
maksim.yevmenkin at gmail.com
Tue May 7 21:32:23 UTC 2024
hello,
it appears that nginx would happily accept http header without colon
(:) in the header name. the patch below tries to address this.
thanks
max
==
--- a/ports/netflix/nginx/files/nginx/src/http/ngx_http_parse.c
+++ b/ports/netflix/nginx/files/nginx/src/http/ngx_http_parse.c
@@ -941,14 +941,14 @@ ngx_http_parse_header_line(ngx_http_request_t
*r, ngx_buf_t *b,
r->header_start = p;
r->header_end = p;
state = sw_almost_done;
- break;
+ return NGX_HTTP_PARSE_INVALID_HEADER;
}
if (ch == LF) {
r->header_name_end = p;
r->header_start = p;
r->header_end = p;
- goto done;
+ return NGX_HTTP_PARSE_INVALID_HEADER;
}
/* IIS may send the duplicate "HTTP/1.1 ..." lines */
More information about the nginx-devel
mailing list