From 1e3098851650d994d20f7c77171a307bf786010f Mon Sep 17 00:00:00 2001 From: Demi Marie Obenour Date: Mon, 7 Apr 2025 23:07:55 -0400 Subject: [PATCH] HTTP: Reject HTTP/2 and HTTP/3 requests with Transfer-Encoding RFC9113 and RFC9114 are clear that this header cannot be used in these versions of HTTP, and in other proxies accepting Transfer-Encoding has led to security vulnerabilities. NGINX is safe from the vulnerability because it ignores the header, but this is still wrong. Fixes: #612 --- src/http/ngx_http_request.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c index ceac8d307..092d25509 100644 --- a/src/http/ngx_http_request.c +++ b/src/http/ngx_http_request.c @@ -2015,9 +2015,9 @@ ngx_http_process_request_header(ngx_http_request_t *r) } if (r->headers_in.transfer_encoding) { - if (r->http_version < NGX_HTTP_VERSION_11) { + if (r->http_version != NGX_HTTP_VERSION_11) { ngx_log_error(NGX_LOG_INFO, r->connection->log, 0, - "client sent HTTP/1.0 request with " + "client sent non-HTTP/1.1 request with " "\"Transfer-Encoding\" header"); ngx_http_finalize_request(r, NGX_HTTP_BAD_REQUEST); return NGX_ERROR;