nginx erroneously reports period character as illegal in request headers

mblancett nginx-forum at forum.nginx.org
Mon Mar 19 23:05:43 UTC 2018


Hello -

Nginx is reporting invalid incoming headers with RFC-compliant headers that
use a '.' (meaning, a period) within the name. 

As an example, I am curling to a very basic proxy setup while trailing the
error log:

The following is valid:

# curl -vvvH "a-b-c: 999" localhost:81/test/v01
* About to connect() to localhost port 81 (#0)
*   Trying ::1... connected
* Connected to localhost (::1) port 81 (#0)
> GET /test/v01 HTTP/1.1
> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7
NSS/3.27.1 zlib/1.2.3 libidn/1.18 libssh2/1.4.2
> Host: localhost:81
> Accept: */*
> a-b-c: 999
> 
< HTTP/1.1 204 No Content
< Server: nginx
< Date: Mon, 19 Mar 2018 22:58:35 GMT
< Content-Length: 0
< Connection: keep-alive
< Cache-Control: max-age=0, no-store
< 
* Connection #0 to host localhost left intact
* Closing connection #0
2018/03/19 22:58:35 [info] 432544#432544: *526 client ::1 closed keepalive
connection

However a very similar request but using a period within the header:
[root at dtord01stg02p ~]# curl -vvvH "a.b.c: 999" localhost:81/test/v01
* About to connect() to localhost port 81 (#0)
*   Trying ::1... connected
* Connected to localhost (::1) port 81 (#0)
> GET /test/v01 HTTP/1.1
> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7
NSS/3.27.1 zlib/1.2.3 libidn/1.18 libssh2/1.4.2
> Host: localhost:81
> Accept: */*
> a.b.c: 999
> 
2018/03/19 22:58:38 [info] 432544#432544: *528 client sent invalid header
line: "a.b.c: 999" while reading client request headers, client: ::1,
server: , request: "GET /test/v01 HTTP/1.1", host: "localhost:81"
< HTTP/1.1 204 No Content
< Server: nginx
< Date: Mon, 19 Mar 2018 22:58:38 GMT
< Content-Length: 0
< Connection: keep-alive
< Cache-Control: max-age=0, no-store
< 
* Connection #0 to host localhost left intact
* Closing connection #0
2018/03/19 22:58:38 [info] 432544#432544: *528 client ::1 closed keepalive
connection


I am aware that I can allow illegal requests, but standards compliance is a
strict requirement in our enterprise.

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,279116,279116#msg-279116



More information about the nginx mailing list