[patch] reject http header without colon (:) in the header name

Илья Шипицин chipitsine at gmail.com
Mon May 13 15:59:50 UTC 2024


nginx is about as popular as GWS, same reasoning might be considered.

btw, do you suggest to

1) introduce new behaviour by some setting (default is unchanged)
2) change default behaviour

?

and I'm quite curious why do you want to change current behaviour

пн, 13 мая 2024 г. в 16:30, Ben Kallus <benjamin.p.kallus.gr at dartmouth.edu>:

> Okay; I should have been more specific. I meant that nginx is unique
> among *general-purpose* web servers.
>
> GWS is something of an special case; it also accepts requests with no
> Host header, and doesn't validate the version string (e.g.,
> HTTP/1.999999999 is accepted).
>
> Google has opted into these strange behaviors because it makes sense
> for them as the only users of GWS. These are, of course, bad defaults
> for a general-purpose HTTP/1.1 server.
>
> The "silently ignore invalid headers" behavior, imo, falls into the
> same category.
>
> -Ben
> _______________________________________________
> nginx-devel mailing list
> nginx-devel at nginx.org
> https://mailman.nginx.org/mailman/listinfo/nginx-devel
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx-devel/attachments/20240513/baae3d76/attachment.htm>


More information about the nginx-devel mailing list