mirror of
https://github.com/nginx/nginx.git
synced 2025-07-22 12:26:21 +08:00
Proxy: Reject Transfer-Encoding or Content-Length trailers
These are forbidden by the standard, and if they were (invalidly) folded into a header by downstream code, it would allow HTTP response splitting. This is a defense in depth measure.
This commit is contained in:
parent
279ae488a4
commit
98d266924f
@ -2635,7 +2635,24 @@ ngx_http_proxy_process_trailer(ngx_http_request_t *r, ngx_buf_t *buf)
|
||||
|
||||
if (rc == NGX_OK) {
|
||||
|
||||
/* a header line has been parsed successfully */
|
||||
/* A trailer line has been parsed successfully.
|
||||
* Do not allow trailers that would, if turned into
|
||||
* headers, interfere with request framing. */
|
||||
switch (r->header_name_end - r->header_name_start) {
|
||||
#define X(x) \
|
||||
case sizeof(x "") - 1: \
|
||||
/* The size is always less than the number of bytes in \
|
||||
* the pre-casefolded area. */ \
|
||||
if (memcmp(r->lowcase_header, x, sizeof(x) - 1) == 0) { \
|
||||
return NGX_ERROR; \
|
||||
} else break
|
||||
X("transfer-encoding");
|
||||
X("content-length");
|
||||
X("upgrade");
|
||||
#undef X
|
||||
default:
|
||||
break;
|
||||
}
|
||||
|
||||
h = ngx_list_push(&r->upstream->headers_in.trailers);
|
||||
if (h == NULL) {
|
||||
|
Loading…
Reference in New Issue
Block a user