Restrict duplicate TE headers in HTTP/2 and HTTP/3

Following d3a76322cf7a, this change rejects requests which have multiple TE headers. Reported-by: geeknik <geeknik@protonmail.ch>
author: Roman Arutyunyan <arut@nginx.com> 2026-04-15 13:49:00 +0400
committer: Roman Arutyunyan <arutyunyan.roman@gmail.com> 2026-04-16 19:47:03 +0400
commit: 4e89ce224f0b3fe9c1d1bc42eca0a7afecdcafb6 (patch)
tree: ce0b349ed545594081a503729b82a8dfa9f06f7a /src/http/v3
parent: ff8221b4db29b1d31ef31f01d989a57ac35a9dd0 (diff)
download: nginx-4e89ce224f0b3fe9c1d1bc42eca0a7afecdcafb6.tar.gz
nginx-4e89ce224f0b3fe9c1d1bc42eca0a7afecdcafb6.tar.bz2
1 files changed, 2 insertions, 1 deletions
diff --git a/src/http/v3/ngx_http_v3_request.c b/src/http/v3/ngx_http_v3_request.c
index 3b0fdbe98..6b487289a 100644
--- a/src/http/v3/ngx_http_v3_request.c
+++ b/src/http/v3/ngx_http_v3_request.c
@@ -1050,7 +1050,8 @@ ngx_http_v3_process_request_header(ngx_http_request_t *r)
     }
 
     if (r->headers_in.te
-        && (r->headers_in.te->value.len != 8
+        && (r->headers_in.te->next
+            || r->headers_in.te->value.len != 8
             || ngx_strncasecmp(r->headers_in.te->value.data,
                                (u_char *) "trailers", 8) != 0))
     {
author	Roman Arutyunyan <arut@nginx.com>	2026-04-15 13:49:00 +0400
committer	Roman Arutyunyan <arutyunyan.roman@gmail.com>	2026-04-16 19:47:03 +0400
commit	4e89ce224f0b3fe9c1d1bc42eca0a7afecdcafb6 (patch)
tree	ce0b349ed545594081a503729b82a8dfa9f06f7a /src/http/v3
parent	ff8221b4db29b1d31ef31f01d989a57ac35a9dd0 (diff)
download	nginx-4e89ce224f0b3fe9c1d1bc42eca0a7afecdcafb6.tar.gz nginx-4e89ce224f0b3fe9c1d1bc42eca0a7afecdcafb6.tar.bz2