diff options
| author | Roman Arutyunyan <arut@nginx.com> | 2026-04-08 17:19:24 +0400 |
|---|---|---|
| committer | Roman Arutyunyan <arutyunyan.roman@gmail.com> | 2026-04-14 09:53:13 +0400 |
| commit | d3a76322cf7abedb32b8216d1e5c0cef4858e4d4 (patch) | |
| tree | a3efc33a7486dae0450ce0ebf7f05c0b833565e9 /src | |
| parent | 00979ba9d843be266529067285b635070f2d1993 (diff) | |
| download | nginx-d3a76322cf7abedb32b8216d1e5c0cef4858e4d4.tar.gz nginx-d3a76322cf7abedb32b8216d1e5c0cef4858e4d4.tar.bz2 | |
Restrict connection-specific headers in HTTP/2 and HTTP/3
As per RFC 9113 and RFC 9114, any message containing such headers MUST be
treated as malformed.
As per RFC 9110, Section 7.6.1, the following headers are considered
connection-specific:
- Connection
- Proxy-Connection
- Keep-Alive
- TE
- Transfer-Encoding
- Upgrade
The only exception is the TE header field, which MAY be present in a
request header, but it MUST NOT contain any value other than "trailers".
Diffstat (limited to 'src')
| -rw-r--r-- | src/http/ngx_http_request.c | 20 | ||||
| -rw-r--r-- | src/http/v2/ngx_http_v2.c | 39 | ||||
| -rw-r--r-- | src/http/v3/ngx_http_v3_request.c | 39 |
3 files changed, 98 insertions, 0 deletions
diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c index a9573a620..a5cd44dcc 100644 --- a/src/http/ngx_http_request.c +++ b/src/http/ngx_http_request.c @@ -26,6 +26,8 @@ static ngx_int_t ngx_http_process_host(ngx_http_request_t *r, ngx_table_elt_t *h, ngx_uint_t offset); static ngx_int_t ngx_http_process_connection(ngx_http_request_t *r, ngx_table_elt_t *h, ngx_uint_t offset); +static ngx_int_t ngx_http_process_proxy_connection(ngx_http_request_t *r, + ngx_table_elt_t *h, ngx_uint_t offset); static ngx_int_t ngx_http_process_user_agent(ngx_http_request_t *r, ngx_table_elt_t *h, ngx_uint_t offset); @@ -82,6 +84,9 @@ ngx_http_header_t ngx_http_headers_in[] = { { ngx_string("Connection"), offsetof(ngx_http_headers_in_t, connection), ngx_http_process_connection }, + { ngx_string("Proxy-Connection"), 0, + ngx_http_process_proxy_connection }, + { ngx_string("If-Modified-Since"), offsetof(ngx_http_headers_in_t, if_modified_since), ngx_http_process_unique_header_line }, @@ -1929,6 +1934,21 @@ ngx_http_process_connection(ngx_http_request_t *r, ngx_table_elt_t *h, static ngx_int_t +ngx_http_process_proxy_connection(ngx_http_request_t *r, ngx_table_elt_t *h, + ngx_uint_t offset) +{ + if (r->http_version >= NGX_HTTP_VERSION_20) { + ngx_log_error(NGX_LOG_INFO, r->connection->log, 0, + "client sent \"Proxy-Connection\" header"); + ngx_http_finalize_request(r, NGX_HTTP_BAD_REQUEST); + return NGX_ERROR; + } + + return NGX_OK; +} + + +static ngx_int_t ngx_http_process_user_agent(ngx_http_request_t *r, ngx_table_elt_t *h, ngx_uint_t offset) { diff --git a/src/http/v2/ngx_http_v2.c b/src/http/v2/ngx_http_v2.c index efe22903f..336718bad 100644 --- a/src/http/v2/ngx_http_v2.c +++ b/src/http/v2/ngx_http_v2.c @@ -3820,6 +3820,45 @@ ngx_http_v2_run_request(ngx_http_request_t *r) r->http_state = NGX_HTTP_PROCESS_REQUEST_STATE; + if (r->headers_in.connection) { + ngx_log_error(NGX_LOG_INFO, fc->log, 0, + "client sent \"Connection\" header"); + ngx_http_finalize_request(r, NGX_HTTP_BAD_REQUEST); + goto failed; + } + + if (r->headers_in.keep_alive) { + ngx_log_error(NGX_LOG_INFO, fc->log, 0, + "client sent \"Keep-Alive\" header"); + ngx_http_finalize_request(r, NGX_HTTP_BAD_REQUEST); + goto failed; + } + + if (r->headers_in.transfer_encoding) { + ngx_log_error(NGX_LOG_INFO, fc->log, 0, + "client sent \"Transfer-Encoding\" header"); + ngx_http_finalize_request(r, NGX_HTTP_BAD_REQUEST); + goto failed; + } + + if (r->headers_in.upgrade) { + ngx_log_error(NGX_LOG_INFO, fc->log, 0, + "client sent \"Upgrade\" header"); + ngx_http_finalize_request(r, NGX_HTTP_BAD_REQUEST); + goto failed; + } + + if (r->headers_in.te + && (r->headers_in.te->value.len != 8 + || ngx_strncasecmp(r->headers_in.te->value.data, + (u_char *) "trailers", 8) != 0)) + { + ngx_log_error(NGX_LOG_INFO, fc->log, 0, + "client sent invalid \"TE\" header"); + ngx_http_finalize_request(r, NGX_HTTP_BAD_REQUEST); + goto failed; + } + if (r->headers_in.server.len == 0) { ngx_log_error(NGX_LOG_INFO, fc->log, 0, "client sent neither \":authority\" nor \"Host\" header"); diff --git a/src/http/v3/ngx_http_v3_request.c b/src/http/v3/ngx_http_v3_request.c index 7bb61311d..3b0fdbe98 100644 --- a/src/http/v3/ngx_http_v3_request.c +++ b/src/http/v3/ngx_http_v3_request.c @@ -1021,6 +1021,45 @@ ngx_http_v3_process_request_header(ngx_http_request_t *r) c = r->connection; + if (r->headers_in.connection) { + ngx_log_error(NGX_LOG_INFO, c->log, 0, + "client sent \"Connection\" header"); + ngx_http_finalize_request(r, NGX_HTTP_BAD_REQUEST); + return NGX_ERROR; + } + + if (r->headers_in.keep_alive) { + ngx_log_error(NGX_LOG_INFO, c->log, 0, + "client sent \"Keep-Alive\" header"); + ngx_http_finalize_request(r, NGX_HTTP_BAD_REQUEST); + return NGX_ERROR; + } + + if (r->headers_in.transfer_encoding) { + ngx_log_error(NGX_LOG_INFO, c->log, 0, + "client sent \"Transfer-Encoding\" header"); + ngx_http_finalize_request(r, NGX_HTTP_BAD_REQUEST); + return NGX_ERROR; + } + + if (r->headers_in.upgrade) { + ngx_log_error(NGX_LOG_INFO, c->log, 0, + "client sent \"Upgrade\" header"); + ngx_http_finalize_request(r, NGX_HTTP_BAD_REQUEST); + return NGX_ERROR; + } + + if (r->headers_in.te + && (r->headers_in.te->value.len != 8 + || ngx_strncasecmp(r->headers_in.te->value.data, + (u_char *) "trailers", 8) != 0)) + { + ngx_log_error(NGX_LOG_INFO, c->log, 0, + "client sent invalid \"TE\" header"); + ngx_http_finalize_request(r, NGX_HTTP_BAD_REQUEST); + return NGX_ERROR; + } + if (ngx_http_v3_init_pseudo_headers(r) != NGX_OK) { return NGX_ERROR; } |