nginx.git/src/http/ngx_http_parse.c, branch release-1.29.7 nginx Improved $cookie_ evaluation. 2026-02-12T18:52:20+00:00 Vadim Zhestikov v.zhestikov@f5.com 2025-12-19T00:45:21+00:00 bf0508fabfbfa2fa778edbf5b94d5c54a952156d In case "Cookie" header is sent by client, multiple cookie pairs were incorrectly split by a semicolon and comma. Now they are split by a semicolon only. For example, next variables will be found for "Cookie: a=b, c=d; e=f": - $cookie_a: "b, c=d" - $cookie_e: "f" Closes #1042 on GitHub. 
In case "Cookie" header is sent by client, multiple cookie pairs were
incorrectly split by a semicolon and comma.

Now they are split by a semicolon only.

For example, next variables will be found for "Cookie: a=b, c=d; e=f":
- $cookie_a: "b, c=d"
- $cookie_e: "f"

Closes #1042 on GitHub.
Disabled bare LF in chunked transfer encoding. 2025-12-06T13:41:32+00:00 Sergey Kandaurov pluknet@nginx.com 2025-11-24T22:06:29+00:00 f405ef11fde6ed749318a844c010ce97483a8f98 Chunked transfer encoding, since originally introduced in HTTP/1.1 in RFC 2068, is specified to use CRLF as the only line terminator. Although tolerant applications may recognize a single LF, formally this covers the start line and fields, and doesn't apply to chunks. Strict chunked parsing is reaffirmed as intentional in RFC errata ID 7633, notably "because it does not have to retain backwards compatibility with 1.0 parsers". A general RFC 2616 recommendation to tolerate deviations whenever interpreted unambiguously doesn't apply here, because chunked body is used to determine HTTP message framing; a relaxed parsing may cause various security problems due to a broken delimitation. For instance, this is possible when receiving chunked body from intermediates that blindly parse chunk-ext or a trailer section until CRLF, and pass it further without re-coding. 
Chunked transfer encoding, since originally introduced in HTTP/1.1
in RFC 2068, is specified to use CRLF as the only line terminator.

Although tolerant applications may recognize a single LF, formally
this covers the start line and fields, and doesn't apply to chunks.
Strict chunked parsing is reaffirmed as intentional in RFC errata
ID 7633, notably "because it does not have to retain backwards
compatibility with 1.0 parsers".

A general RFC 2616 recommendation to tolerate deviations whenever
interpreted unambiguously doesn't apply here, because chunked body
is used to determine HTTP message framing; a relaxed parsing may
cause various security problems due to a broken delimitation.
For instance, this is possible when receiving chunked body from
intermediates that blindly parse chunk-ext or a trailer section
until CRLF, and pass it further without re-coding.
Changed interface of ngx_http_validate_host(). 2025-11-26T15:51:40+00:00 Sergey Kandaurov pluknet@nginx.com 2025-11-05T12:15:12+00:00 6446f99107fff83469145b16983ebec99261a2db This allows to process a port subcomponent and save it in r->port in a unified way, similar to r->headers_in.server. For HTTP/1.x request line in the absolute form, r->host_end now includes a port subcomponent, which is also consistent with HTTP/2 and HTTP/3. 
This allows to process a port subcomponent and save it in r->port
in a unified way, similar to r->headers_in.server.  For HTTP/1.x
request line in the absolute form, r->host_end now includes a port
subcomponent, which is also consistent with HTTP/2 and HTTP/3.
CONNECT method support for HTTP/1.1. 2025-10-23T14:40:05+00:00 Roman Arutyunyan arut@nginx.com 2025-09-23T11:03:52+00:00 42ca3a4576a32d0a912b0bba4088b8169f55ab2d The change allows modules to use the CONNECT method with HTTP/1.1 requests. To do so, they need to set the "allow_connect" flag in the core server configuration. 
The change allows modules to use the CONNECT method with HTTP/1.1 requests.
To do so, they need to set the "allow_connect" flag in the core server
configuration.
Added $request_port and $is_request_port variables. 2025-10-23T14:40:05+00:00 Roman Arutyunyan arut@nginx.com 2025-09-29T16:47:27+00:00 c8c7beb96f61e2251abbc345357116131cf91c22 The $request_port variable contains the port passed by the client in the request line (for HTTP/1.x) or ":authority" pseudo-header (for HTTP/2 and HTTP/3). If the request line contains no host, or ":authority" is missing, then $request_port is taken from the "Host" header, similar to the $host variable. The $is_request_port variable contains ":" if $request_port is non-empty, and is empty otherwise. 
The $request_port variable contains the port passed by the client in the
request line (for HTTP/1.x) or ":authority" pseudo-header (for HTTP/2 and
HTTP/3).  If the request line contains no host, or ":authority" is missing,
then $request_port is taken from the "Host" header, similar to the $host
variable.

The $is_request_port variable contains ":" if $request_port is non-empty,
and is empty otherwise.
Proxy: proxy_pass_trailers directive. 2024-09-13T12:47:56+00:00 Sergey Kandaurov pluknet@nginx.com 2024-09-10T12:48:11+00:00 1a64c196a7d43f83a14fec20ce8936e599c92865 The directive allows to pass upstream response trailers to client. 
The directive allows to pass upstream response trailers to client.
HTTP: removed unused r->port_start and r->port_end. 2023-11-28T09:57:14+00:00 Vladimir Khomutov vl@wbsrv.ru 2023-11-28T09:57:14+00:00 0db94ba96a00ebfc4a3c55af8eaaf20f971a7c4c Neither r->port_start nor r->port_end were ever used. The r->port_end is set by the parser, though it was never used by the following code (and was never usable, since not copied by the ngx_http_alloc_large_header_buffer() without r->port_start set). 
Neither r->port_start nor r->port_end were ever used.

The r->port_end is set by the parser, though it was never used by
the following code (and was never usable, since not copied by the
ngx_http_alloc_large_header_buffer() without r->port_start set).
Reworked multi headers to use linked lists. 2022-05-30T18:25:33+00:00 Maxim Dounin mdounin@mdounin.ru 2022-05-30T18:25:33+00:00 3aef1d693f3cc431563a7e6a6aba6a34e5290f03 Multi headers are now using linked lists instead of arrays. Notably, the following fields were changed: r->headers_in.cookies (renamed to r->headers_in.cookie), r->headers_in.x_forwarded_for, r->headers_out.cache_control, r->headers_out.link, u->headers_in.cache_control u->headers_in.cookies (renamed to u->headers_in.set_cookie). The r->headers_in.cookies and u->headers_in.cookies fields were renamed to r->headers_in.cookie and u->headers_in.set_cookie to match header names. The ngx_http_parse_multi_header_lines() and ngx_http_parse_set_cookie_lines() functions were changed accordingly. With this change, multi headers are now essentially equivalent to normal headers, and following changes will further make them equivalent. 
Multi headers are now using linked lists instead of arrays.  Notably,
the following fields were changed: r->headers_in.cookies (renamed
to r->headers_in.cookie), r->headers_in.x_forwarded_for,
r->headers_out.cache_control, r->headers_out.link, u->headers_in.cache_control
u->headers_in.cookies (renamed to u->headers_in.set_cookie).

The r->headers_in.cookies and u->headers_in.cookies fields were renamed
to r->headers_in.cookie and u->headers_in.set_cookie to match header names.

The ngx_http_parse_multi_header_lines() and ngx_http_parse_set_cookie_lines()
functions were changed accordingly.

With this change, multi headers are now essentially equivalent to normal
headers, and following changes will further make them equivalent.
Improved logging of invalid headers. 2021-06-28T15:01:20+00:00 Maxim Dounin mdounin@mdounin.ru 2021-06-28T15:01:20+00:00 7587778a33bea0ce6f203a8c4de18e33f38b9582 In 71edd9192f24 logging of invalid headers which were rejected with the NGX_HTTP_PARSE_INVALID_HEADER error was restricted to just the "client sent invalid header line" message, without any attempts to log the header itself. This patch returns logging of the header up to the invalid character and the character itself. The r->header_end pointer is now properly set in all cases to make logging possible. The same logging is also introduced when parsing headers from upstream servers. 
In 71edd9192f24 logging of invalid headers which were rejected with the
NGX_HTTP_PARSE_INVALID_HEADER error was restricted to just the "client
sent invalid header line" message, without any attempts to log the header
itself.

This patch returns logging of the header up to the invalid character and
the character itself.  The r->header_end pointer is now properly set
in all cases to make logging possible.

The same logging is also introduced when parsing headers from upstream
servers.
Disabled control characters and space in header names. 2021-06-28T15:01:18+00:00 Maxim Dounin mdounin@mdounin.ru 2021-06-28T15:01:18+00:00 9ab4d368af63e9c4a0bebc0eda82d668adaa560a Control characters (0x00-0x1f, 0x7f), space, and colon were never allowed in header names. The only somewhat valid use is header continuation which nginx never supported and which is explicitly obsolete by RFC 7230. Previously, such headers were considered invalid and were ignored by default (as per ignore_invalid_headers directive). With this change, such headers are unconditionally rejected. It is expected to make nginx more resilient to various attacks, in particular, with ignore_invalid_headers switched off (which is inherently unsecure, though nevertheless sometimes used in the wild). 
Control characters (0x00-0x1f, 0x7f), space, and colon were never allowed in
header names.  The only somewhat valid use is header continuation which nginx
never supported and which is explicitly obsolete by RFC 7230.

Previously, such headers were considered invalid and were ignored by default
(as per ignore_invalid_headers directive).  With this change, such headers
are unconditionally rejected.

It is expected to make nginx more resilient to various attacks, in particular,
with ignore_invalid_headers switched off (which is inherently unsecure, though
nevertheless sometimes used in the wild).