mirror/nginx
1
0
Fork 0
mirror of https://github.com/nginx/nginx.git synced 2025-06-07 17:52:38 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

HTTP: Do not log headers with unsanitized values

Browse Source 
These could contain control charactes (including newlines!) and mess up
the logs.
This commit is contained in:
Demi Marie Obenour 2025-03-25 13:38:59 -04:00
parent d313056537
commit 50055f40eb
2 changed files with 4 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
src/http/v2/ngx_http_v2.c
View File

@ -3258,8 +3258,7 @@ ngx_http_v2_validate_header(ngx_http_request_t *r, ngx_http_v2_header_t *header)
|| (ch >= 'A' && ch <= 'Z'))
{
ngx_log_error(NGX_LOG_INFO, r->connection->log, 0,
"client sent invalid header name: \"%V\"",
&header->name);
"client sent invalid header name");
return NGX_ERROR;
}
@ -3273,8 +3272,7 @@ ngx_http_v2_validate_header(ngx_http_request_t *r, ngx_http_v2_header_t *header)
if (ch == '\0' || ch == LF || ch == CR) {
ngx_log_error(NGX_LOG_INFO, r->connection->log, 0,
"client sent header \"%V\" with "
"invalid value: \"%V\"",
&header->name, &header->value);
"invalid value", &header->name);
return NGX_ERROR;
}

4
src/http/v3/ngx_http_v3_request.c
View File

@ -719,7 +719,7 @@ ngx_http_v3_validate_header(ngx_http_request_t *r, ngx_str_t *name,
|| (ch >= 'A' && ch <= 'Z'))
{
ngx_log_error(NGX_LOG_INFO, r->connection->log, 0,
"client sent invalid header name: \"%V\"", name);
"client sent invalid header name");
return NGX_ERROR;
}
@ -733,7 +733,7 @@ ngx_http_v3_validate_header(ngx_http_request_t *r, ngx_str_t *name,
if (ch == '\0' || ch == LF || ch == CR) {
ngx_log_error(NGX_LOG_INFO, r->connection->log, 0,
"client sent header \"%V\" with "
"invalid value: \"%V\"", name, value);
"invalid value", name);
return NGX_ERROR;
}