From e30ddb7a3b437b929d74c7685a495e5a78fa3020 Mon Sep 17 00:00:00 2001
From: Demi Marie Obenour <demiobenour@gmail.com>
Date: Fri, 14 Mar 2025 02:10:46 -0400
Subject: [PATCH] HTTP: Do not allow multiple CRs before LF

This is not permitted by RFC9112.
---
 src/http/ngx_http_parse.c | 2 --
 1 file changed, 2 deletions(-)

diff --git a/src/http/ngx_http_parse.c b/src/http/ngx_http_parse.c
index e2c908d32..f7ee2fb14 100644
--- a/src/http/ngx_http_parse.c
+++ b/src/http/ngx_http_parse.c
@@ -1040,8 +1040,6 @@ ngx_http_parse_header_line(ngx_http_request_t *r, ngx_buf_t *b,
             switch (ch) {
             case LF:
                 goto done;
-            case CR:
-                break;
             default:
                 return NGX_HTTP_PARSE_INVALID_HEADER;
             }