From 4e89ce224f0b3fe9c1d1bc42eca0a7afecdcafb6 Mon Sep 17 00:00:00 2001
From: Roman Arutyunyan <arut@nginx.com>
Date: Wed, 15 Apr 2026 13:49:00 +0400
Subject: Restrict duplicate TE headers in HTTP/2 and HTTP/3

Following d3a76322cf7a, this change rejects requests which have multiple
TE headers.

Reported-by: geeknik <geeknik@protonmail.ch>
---
 src/http/v2/ngx_http_v2.c         | 3 ++-
 src/http/v3/ngx_http_v3_request.c | 3 ++-
 2 files changed, 4 insertions(+), 2 deletions(-)

(limited to 'src/http')

diff --git a/src/http/v2/ngx_http_v2.c b/src/http/v2/ngx_http_v2.c
index 336718bad..69cb0ae09 100644
--- a/src/http/v2/ngx_http_v2.c
+++ b/src/http/v2/ngx_http_v2.c
@@ -3849,7 +3849,8 @@ ngx_http_v2_run_request(ngx_http_request_t *r)
     }
 
     if (r->headers_in.te
-        && (r->headers_in.te->value.len != 8
+        && (r->headers_in.te->next
+            || r->headers_in.te->value.len != 8
             || ngx_strncasecmp(r->headers_in.te->value.data,
                                (u_char *) "trailers", 8) != 0))
     {
diff --git a/src/http/v3/ngx_http_v3_request.c b/src/http/v3/ngx_http_v3_request.c
index 3b0fdbe98..6b487289a 100644
--- a/src/http/v3/ngx_http_v3_request.c
+++ b/src/http/v3/ngx_http_v3_request.c
@@ -1050,7 +1050,8 @@ ngx_http_v3_process_request_header(ngx_http_request_t *r)
     }
 
     if (r->headers_in.te
-        && (r->headers_in.te->value.len != 8
+        && (r->headers_in.te->next
+            || r->headers_in.te->value.len != 8
             || ngx_strncasecmp(r->headers_in.te->value.data,
                                (u_char *) "trailers", 8) != 0))
     {
-- 
cgit