mirror/nginx
1
0
Fork 0
mirror of https://github.com/nginx/nginx.git synced 2025-07-24 06:06:25 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

Forbid malformed HTTP/1.1 trailers

Browse Source 
HTTP/1.1 trailers must follow the same syntax as HTTP headers.
This commit is contained in:
Demi Marie Obenour 2025-03-26 23:13:32 -04:00
parent 1be6976866
commit 1c0426c8c0
1 changed files with 30 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

39
src/http/ngx_http_parse.c
View File

@ -2296,7 +2296,8 @@ ngx_http_parse_chunked(ngx_http_request_t *r, ngx_buf_t *b,
sw_after_data_almost_done,
sw_trailer,
sw_trailer_almost_done,
sw_trailer_header,
sw_trailer_name,
sw_trailer_value,
sw_trailer_header_almost_done
} state;
@ -2494,7 +2495,11 @@ before_semi:
case LF:
goto done;
default:
state = sw_trailer_header;
if (ngx_http_token_char(ch)) {
state = sw_trailer_name;
break;
}
goto invalid;
}
break;
@ -2504,15 +2509,26 @@ before_semi:
}
goto invalid;
case sw_trailer_header:
switch (ch) {
case CR:
case sw_trailer_name:
if (ngx_http_token_char(ch)) {
break;
}
if (ch == ':') {
state = sw_trailer_value;
break;
}
goto invalid;
case sw_trailer_value:
if (ngx_http_field_value_char(ch)) {
break;
}
if (ch == CR) {
state = sw_trailer_header_almost_done;
break;
case LF:
state = sw_trailer;
}
break;
/* fall through */
case sw_trailer_header_almost_done:
if (ch == LF) {
@ -2553,6 +2569,12 @@ data:
case sw_chunk_extension_name:
ctx->length = 4 /* =b CR LF */ + min_length;
break;
case sw_trailer_name:
ctx->length = 3 /* : LF LF */;
break;
case sw_trailer_value:
ctx->length = 2 /* LF LF */;
break;
case sw_chunk_extension_value_start:
ctx->length = 3 /* b CR LF */ + min_length;
break;
@ -2575,7 +2597,6 @@ data:
case sw_trailer_almost_done:
ctx->length = 1 /* LF */;
break;
case sw_trailer_header:
case sw_trailer_header_almost_done:
ctx->length = 2 /* LF LF */;
break;