Description
Environment
N/A
Description
In HTTP/2 and HTTP/3, NGINX accepts field (header and trailer) values with leading and/or trailing space and/or tab characters. This is forbidden by RFC9113 and RFC9114: NGINX must either reject the entire message or strip leading and trailing whitespace before doing any further processing.
This can be observed by sending an HTTP/2 or HTTP/3 request with a header value containing leading or trailing spaces to an NGINX instance that reverse-proxies to another instance of NGINX, and finding that the two disagree on the exact value of the header.
The easiest fix is to unconditionally reject such requests or responses. I am not sure if this is too risky from a compatibility perspective.
nginx configuration
N/A — this was found by source review and confirmed to be a bug.
nginx debug log
N/A