From 7344f54d1d9e0ef935bf083e497d2129fb72a350 Mon Sep 17 00:00:00 2001 From: Roman Arutyunyan Date: Thu, 26 Jun 2025 20:19:59 +0400 Subject: [PATCH] HTTP/3: fixed handling :authority and Host with port. RFC 9114, Section 4.3.1. specifies a restriciton for :authority and Host coexistence in an HTTP/3 request: : If both fields are present, they MUST contain the same value. Currently this restriction is correctly enforced for portless values. However when a port is specified, the request fails as if :authority and Host are different. Also, if no :authority is passed, but Host contains a port, the request fails as well. This happens because the value of r->headers_in.server used for :authority has port stripped. The fix is to use r->host_start / r->host_end instead. --- src/http/v3/ngx_http_v3_request.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/http/v3/ngx_http_v3_request.c b/src/http/v3/ngx_http_v3_request.c index e41ad50a8..a2a26e968 100644 --- a/src/http/v3/ngx_http_v3_request.c +++ b/src/http/v3/ngx_http_v3_request.c @@ -1034,11 +1034,11 @@ ngx_http_v3_process_request_header(ngx_http_request_t *r) goto failed; } - if (r->headers_in.host) { - if (r->headers_in.host->value.len != r->headers_in.server.len + if (r->headers_in.host && r->host_end) { + if (r->headers_in.host->value.len != + (size_t) (r->host_end - r->host_start) || ngx_memcmp(r->headers_in.host->value.data, - r->headers_in.server.data, - r->headers_in.server.len) + r->host_start, r->host_end - r->host_start) != 0) { ngx_log_error(NGX_LOG_INFO, c->log, 0,