From 98d266924f151cfa50c387ebdf96d9521929186a Mon Sep 17 00:00:00 2001 From: Demi Marie Obenour Date: Wed, 26 Mar 2025 22:33:54 -0400 Subject: [PATCH] Proxy: Reject Transfer-Encoding or Content-Length trailers These are forbidden by the standard, and if they were (invalidly) folded into a header by downstream code, it would allow HTTP response splitting. This is a defense in depth measure. --- src/http/modules/ngx_http_proxy_module.c | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/src/http/modules/ngx_http_proxy_module.c b/src/http/modules/ngx_http_proxy_module.c index d4c5abf62..29ce6cf36 100644 --- a/src/http/modules/ngx_http_proxy_module.c +++ b/src/http/modules/ngx_http_proxy_module.c @@ -2635,7 +2635,24 @@ ngx_http_proxy_process_trailer(ngx_http_request_t *r, ngx_buf_t *buf) if (rc == NGX_OK) { - /* a header line has been parsed successfully */ + /* A trailer line has been parsed successfully. + * Do not allow trailers that would, if turned into + * headers, interfere with request framing. */ + switch (r->header_name_end - r->header_name_start) { +#define X(x) \ + case sizeof(x "") - 1: \ + /* The size is always less than the number of bytes in \ + * the pre-casefolded area. */ \ + if (memcmp(r->lowcase_header, x, sizeof(x) - 1) == 0) { \ + return NGX_ERROR; \ + } else break + X("transfer-encoding"); + X("content-length"); + X("upgrade"); +#undef X + default: + break; + } h = ngx_list_push(&r->upstream->headers_in.trailers); if (h == NULL) {