diff options
| author | Roman Arutyunyan <arut@nginx.com> | 2026-04-15 13:49:00 +0400 |
|---|---|---|
| committer | Roman Arutyunyan <arutyunyan.roman@gmail.com> | 2026-04-16 19:47:03 +0400 |
| commit | 4e89ce224f0b3fe9c1d1bc42eca0a7afecdcafb6 (patch) | |
| tree | ce0b349ed545594081a503729b82a8dfa9f06f7a | |
| parent | ff8221b4db29b1d31ef31f01d989a57ac35a9dd0 (diff) | |
| download | nginx-4e89ce224f0b3fe9c1d1bc42eca0a7afecdcafb6.tar.gz nginx-4e89ce224f0b3fe9c1d1bc42eca0a7afecdcafb6.tar.bz2 | |
Restrict duplicate TE headers in HTTP/2 and HTTP/3
Following d3a76322cf7a, this change rejects requests which have multiple
TE headers.
Reported-by: geeknik <geeknik@protonmail.ch>
| -rw-r--r-- | src/http/v2/ngx_http_v2.c | 3 | ||||
| -rw-r--r-- | src/http/v3/ngx_http_v3_request.c | 3 |
2 files changed, 4 insertions, 2 deletions
diff --git a/src/http/v2/ngx_http_v2.c b/src/http/v2/ngx_http_v2.c index 336718bad..69cb0ae09 100644 --- a/src/http/v2/ngx_http_v2.c +++ b/src/http/v2/ngx_http_v2.c @@ -3849,7 +3849,8 @@ ngx_http_v2_run_request(ngx_http_request_t *r) } if (r->headers_in.te - && (r->headers_in.te->value.len != 8 + && (r->headers_in.te->next + || r->headers_in.te->value.len != 8 || ngx_strncasecmp(r->headers_in.te->value.data, (u_char *) "trailers", 8) != 0)) { diff --git a/src/http/v3/ngx_http_v3_request.c b/src/http/v3/ngx_http_v3_request.c index 3b0fdbe98..6b487289a 100644 --- a/src/http/v3/ngx_http_v3_request.c +++ b/src/http/v3/ngx_http_v3_request.c @@ -1050,7 +1050,8 @@ ngx_http_v3_process_request_header(ngx_http_request_t *r) } if (r->headers_in.te - && (r->headers_in.te->value.len != 8 + && (r->headers_in.te->next + || r->headers_in.te->value.len != 8 || ngx_strncasecmp(r->headers_in.te->value.data, (u_char *) "trailers", 8) != 0)) { |