nginx.git/src/http, branch release-1.21.1 nginx Disabled control characters in the Host header. 2021-06-28T15:01:24+00:00 Maxim Dounin mdounin@mdounin.ru 2021-06-28T15:01:24+00:00 07c63a42640e59bf5e3399cfdafd498b61671780 Control characters (0x00-0x1f, 0x7f) and space are not expected to appear in the Host header. Requests with such characters in the Host header are now unconditionally rejected. 
Control characters (0x00-0x1f, 0x7f) and space are not expected to appear
in the Host header.  Requests with such characters in the Host header are
now unconditionally rejected.
Improved logging of invalid headers. 2021-06-28T15:01:20+00:00 Maxim Dounin mdounin@mdounin.ru 2021-06-28T15:01:20+00:00 7587778a33bea0ce6f203a8c4de18e33f38b9582 In 71edd9192f24 logging of invalid headers which were rejected with the NGX_HTTP_PARSE_INVALID_HEADER error was restricted to just the "client sent invalid header line" message, without any attempts to log the header itself. This patch returns logging of the header up to the invalid character and the character itself. The r->header_end pointer is now properly set in all cases to make logging possible. The same logging is also introduced when parsing headers from upstream servers. 
In 71edd9192f24 logging of invalid headers which were rejected with the
NGX_HTTP_PARSE_INVALID_HEADER error was restricted to just the "client
sent invalid header line" message, without any attempts to log the header
itself.

This patch returns logging of the header up to the invalid character and
the character itself.  The r->header_end pointer is now properly set
in all cases to make logging possible.

The same logging is also introduced when parsing headers from upstream
servers.
Disabled control characters and space in header names. 2021-06-28T15:01:18+00:00 Maxim Dounin mdounin@mdounin.ru 2021-06-28T15:01:18+00:00 9ab4d368af63e9c4a0bebc0eda82d668adaa560a Control characters (0x00-0x1f, 0x7f), space, and colon were never allowed in header names. The only somewhat valid use is header continuation which nginx never supported and which is explicitly obsolete by RFC 7230. Previously, such headers were considered invalid and were ignored by default (as per ignore_invalid_headers directive). With this change, such headers are unconditionally rejected. It is expected to make nginx more resilient to various attacks, in particular, with ignore_invalid_headers switched off (which is inherently unsecure, though nevertheless sometimes used in the wild). 
Control characters (0x00-0x1f, 0x7f), space, and colon were never allowed in
header names.  The only somewhat valid use is header continuation which nginx
never supported and which is explicitly obsolete by RFC 7230.

Previously, such headers were considered invalid and were ignored by default
(as per ignore_invalid_headers directive).  With this change, such headers
are unconditionally rejected.

It is expected to make nginx more resilient to various attacks, in particular,
with ignore_invalid_headers switched off (which is inherently unsecure, though
nevertheless sometimes used in the wild).
Disabled control characters in URIs. 2021-06-28T15:01:15+00:00 Maxim Dounin mdounin@mdounin.ru 2021-06-28T15:01:15+00:00 0b66bd4be777a5b79c5ae0e7dff89fc6429da0fe Control characters (0x00-0x1f, 0x7f) were never allowed in URIs, and must be percent-encoded by clients. Further, these are not believed to appear in practice. On the other hand, passing such characters might make various attacks possible or easier, despite the fact that currently allowed control characters are not significant for HTTP request parsing. 
Control characters (0x00-0x1f, 0x7f) were never allowed in URIs, and must
be percent-encoded by clients.  Further, these are not believed to appear
in practice.  On the other hand, passing such characters might make various
attacks possible or easier, despite the fact that currently allowed control
characters are not significant for HTTP request parsing.
Disabled spaces in URIs (ticket #196). 2021-06-28T15:01:13+00:00 Maxim Dounin mdounin@mdounin.ru 2021-06-28T15:01:13+00:00 05395f4889cf0b66e8d049921ad19f1a08319150 From now on, requests with spaces in URIs are immediately rejected rather than allowed. Spaces were allowed in 31e9677b15a1 (0.8.41) to handle bad clients. It is believed that now this behaviour causes more harm than good. 
From now on, requests with spaces in URIs are immediately rejected rather
than allowed.  Spaces were allowed in 31e9677b15a1 (0.8.41) to handle bad
clients.  It is believed that now this behaviour causes more harm than
good.
Disabled requests with both Content-Length and Transfer-Encoding. 2021-06-28T15:01:06+00:00 Maxim Dounin mdounin@mdounin.ru 2021-06-28T15:01:06+00:00 a6c109fea5c13b8aa13ed95ca00a64d62601042b HTTP clients are not allowed to generate such requests since Transfer-Encoding introduction in RFC 2068, and they are not expected to appear in practice except in attempts to perform a request smuggling attack. While handling of such requests is strictly defined, the most secure approach seems to reject them. 
HTTP clients are not allowed to generate such requests since Transfer-Encoding
introduction in RFC 2068, and they are not expected to appear in practice
except in attempts to perform a request smuggling attack.  While handling of
such requests is strictly defined, the most secure approach seems to reject
them.
Added CONNECT method rejection. 2021-06-28T15:01:04+00:00 Maxim Dounin mdounin@mdounin.ru 2021-06-28T15:01:04+00:00 5f85bb3714a81d158f4d849ad5c61aec2737a9f0 No valid CONNECT requests are expected to appear within nginx, since it is not a forward proxy. Further, request line parsing will reject proper CONNECT requests anyway, since we don't allow authority-form of request-target. On the other hand, RFC 7230 specifies separate message length rules for CONNECT which we don't support, so make sure to always reject CONNECTs to avoid potential abuse. 
No valid CONNECT requests are expected to appear within nginx, since it
is not a forward proxy.  Further, request line parsing will reject
proper CONNECT requests anyway, since we don't allow authority-form of
request-target.  On the other hand, RFC 7230 specifies separate message
length rules for CONNECT which we don't support, so make sure to always
reject CONNECTs to avoid potential abuse.
Moved TRACE method rejection to a better place. 2021-06-28T15:01:00+00:00 Maxim Dounin mdounin@mdounin.ru 2021-06-28T15:01:00+00:00 d9c1d1bae7ae2c83fb65ca00a47ad6c1199a691e Previously, TRACE requests were rejected before parsing Transfer-Encoding. This is not important since keepalive is not enabled at this point anyway, though rejecting such requests after properly parsing other headers is less likely to cause issues in case of further code changes. 
Previously, TRACE requests were rejected before parsing Transfer-Encoding.
This is not important since keepalive is not enabled at this point anyway,
though rejecting such requests after properly parsing other headers is
less likely to cause issues in case of further code changes.
gRPC: RST_STREAM(NO_ERROR) handling micro-optimization. 2021-06-17T08:44:06+00:00 Sergey Kandaurov pluknet@nginx.com 2021-06-17T08:44:06+00:00 693e4134a51b4fd30689ad1e31e6fdffe5ee1429 After 2096b21fcd10, a single RST_STREAM(NO_ERROR) may not result in an error. This change removes several unnecessary ctx->type checks for such a case. 
After 2096b21fcd10, a single RST_STREAM(NO_ERROR) may not result in an error.
This change removes several unnecessary ctx->type checks for such a case.
gRPC: handling GOAWAY with a higher last stream identifier. 2021-06-17T08:43:55+00:00 Sergey Kandaurov pluknet@nginx.com 2021-06-17T08:43:55+00:00 dcdf7ec096f0998e689b7f0b0f7541e197eeff6a Previously, once received from upstream, it couldn't limit opening additional streams in a cached keepalive connection. 
Previously, once received from upstream, it couldn't limit
opening additional streams in a cached keepalive connection.