[patch] reject http header without colon (:) in the header name
Ben Kallus
benjamin.p.kallus.gr at dartmouth.edu
Mon May 13 20:09:45 UTC 2024
> nginx is about as popular as GWS, same reasoning might be considered.
What I'm saying is exceptional about GWS is not its popularity. Of
course, Nginx (and Apache) are similarly popular. I'm arguing that
because GWS is by design a single-purpose web server that serves the
interest of a single company, it is expected that it implements
unorthodox decisions that benefit that company.
Nginx is general-purpose software. It is therefore reasonable to
expect that it would support a configuration that behaves in the way
most users expect a web server to behave (i.e., reject invalid
incoming messages).
> btw, do you suggest to
> 1) introduce new behaviour by some setting (default is unchanged)
> 2) change default behaviour
Changing defaults is messy for programs as relied-upon as Nginx. I
offer no suggestions about how default behaviors should change.
> and I'm quite curious why do you want to change current behaviour
HTTP request smuggling attacks rely on inconsistent parsing behaviors
across web servers. These same behaviors also form the basis for HTTP
server fingerprinting techniques. It is not always obvious at first
glance whether a discrepancy is useful for these purposes. For this
reason, I am generally in favor of offering users the opportunity to
opt out of behaviors that are not recommended by the RFCs.
-Ben
More information about the nginx-devel
mailing list