HTTP: Reject HTTP/2 and HTTP/3 requests with Transfer-Encoding

RFC9113 and RFC9114 are clear that this header cannot be used in these versions of HTTP, and in other proxies accepting Transfer-Encoding has led to security vulnerabilities. NGINX is safe from the vulnerability because it ignores the header, but this is still wrong. Fixes: #612
2025-06-11 12:22:41 +08:00 · 2025-04-07 23:07:55 -04:00 · 2025-04-07 23:07:55 -04:00 · 481d7e3214
commit 481d7e3214
parent da7f73eb71
1 changed files with 2 additions and 2 deletions
--- a/src/http/ngx_http_request.c
+++ b/src/http/ngx_http_request.c
@ -2015,9 +2015,9 @@ ngx_http_process_request_header(ngx_http_request_t *r)
    }

    if (r->headers_in.transfer_encoding) {
-        if (r->http_version < NGX_HTTP_VERSION_11) {
+        if (r->http_version != NGX_HTTP_VERSION_11) {
            ngx_log_error(NGX_LOG_INFO, r->connection->log, 0,
-                          "client sent HTTP/1.0 request with "
+                          "client sent non-HTTP/1.1 request with "
                          "\"Transfer-Encoding\" header");
            ngx_http_finalize_request(r, NGX_HTTP_BAD_REQUEST);
            return NGX_ERROR;