From 5f85bb3714a81d158f4d849ad5c61aec2737a9f0 Mon Sep 17 00:00:00 2001
From: Maxim Dounin <mdounin@mdounin.ru>
Date: Mon, 28 Jun 2021 18:01:04 +0300
Subject: Added CONNECT method rejection.

No valid CONNECT requests are expected to appear within nginx, since it
is not a forward proxy.  Further, request line parsing will reject
proper CONNECT requests anyway, since we don't allow authority-form of
request-target.  On the other hand, RFC 7230 specifies separate message
length rules for CONNECT which we don't support, so make sure to always
reject CONNECTs to avoid potential abuse.
---
 src/http/ngx_http_parse.c | 5 +++++
 1 file changed, 5 insertions(+)

(limited to 'src/http/ngx_http_parse.c')

diff --git a/src/http/ngx_http_parse.c b/src/http/ngx_http_parse.c
index 20ad89a77..71fa3c7a5 100644
--- a/src/http/ngx_http_parse.c
+++ b/src/http/ngx_http_parse.c
@@ -246,6 +246,11 @@ ngx_http_parse_request_line(ngx_http_request_t *r, ngx_buf_t *b)
                         r->method = NGX_HTTP_OPTIONS;
                     }
 
+                    if (ngx_str7_cmp(m, 'C', 'O', 'N', 'N', 'E', 'C', 'T', ' '))
+                    {
+                        r->method = NGX_HTTP_CONNECT;
+                    }
+
                     break;
 
                 case 8:
-- 
cgit