8000 Reject some messages a conformant sender would not have sent by DemiMarie · Pull Request #728 · nginx/nginx · GitHub
[go: up one dir, main page]
Skip to content

Reject some messages a conformant sender would not have sent #728

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
wants to merge 21 commits into
base: master
Choose a base branch
from
Draft

Reject some messages a conformant sender would not have sent #728

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
21 commits
Select commit Hold shift + click to select a range
80b41e1
HTTP: Use common header validation function for HTTP/2 and HTTP/3
DemiMarie Mar 25, 2025
3897c97
Strip leading and trailing whitespace from HTTP field values
DemiMarie Apr 7, 2025
c7d26cc
HTTP/3: Do not allow invalid pseudo-header fields
DemiMarie Mar 21, 2025
17ce4bc
HTTP: Use common header code for v2 and v3
DemiMarie Mar 22, 2025
1e30988
HTTP: Reject HTTP/2 and HTTP/3 requests with Transfer-Encoding
DemiMarie Apr 8, 2025
b1c4b07
HTTP: Reject invalid header names
DemiMarie Mar 14, 2025
ae76c64
HTTP: Reject invalid field values
DemiMarie Apr 9, 2025
279ae48
HTTP: Reject hop-by-hop headers in HTTP/2 and HTTP/3 requests
DemiMarie Mar 13, 2025
98d2669
Proxy: Reject Transfer-Encoding or Content-Length trailers
DemiMarie Mar 27, 2025
dab8c0e
HTTP: Do not allow header lines with no colon
DemiMarie Apr 25, 2025
e30ddb7
HTTP: Do not allow multiple CRs before LF
DemiMarie Mar 14, 2025
0d2c875
HTTP: Do not allow request lines to end with bare CR
DemiMarie Mar 16, 2025
1be6976
Reject malformed chunk extensions
DemiMarie Mar 23, 2025
1c0426c
Forbid malformed HTTP/1.1 trailers
DemiMarie Mar 27, 2025
626b1d9
HTTP: Reject trailers involved in framing
DemiMarie Mar 27, 2025
436282f
HTTP: Remove redundant state from chunk parsing
DemiMarie Apr 7, 2025
bb0a2b9
HTTP: Allow rejecting leading and trailing whitespace in HTTP2+ fields
DemiMarie Mar 25, 2025
bd37faf
HTTP: do not allow headers to end with a bare LF
DemiMarie Mar 16, 2025
7032a60
HTTP: do not allow status line to end with bare LF
DemiMarie Mar 16, 2025
9950dfb
Do not allow trailers to end with bare LF
DemiMarie Jun 10, 2025
9b8e4a1
Do not support bad whitespace in chunk extensions
DemiMarie Jun 10, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Next Next commit
HTTP: Use common header validation function for HTTP/2 and HTTP/3 
The header validation required by HTTP/2 and HTTP/3 is identical, so use
a common function for both.  This will make it easier to add additional
validation in the future.  Move the function to ngx_http_parse.c so that
it can share code with the HTTP/1.x parser in the future.

No functional change intended.
  • Loading branch information
@DemiMarie
DemiMarie committed Jun 10, 2025
commit 80b41e100204d827ef54c916a6c8cab1365b97d7
2 changes: 2 additions & 0 deletions src/http/ngx_http.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -182,6 +182,8 @@ ngx_int_t ngx_http_huff_decode(u_char *state, u_char *src, size_t len,
u_char **dst, ngx_uint_t last, ngx_log_t *log);
size_t ngx_http_huff_encode(u_char *src, size_t len, u_char *dst,
ngx_uint_t lower);
ngx_int_t ngx_http_v23_validate_header(ngx_http_request_t *r,
ngx_str_t *name, ngx_str_t *value);
#endif


Expand Down
62 changes: 62 additions & 0 deletions src/http/ngx_http_parse.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1090,6 +1090,68 @@ ngx_http_parse_header_line(ngx_http_request_t *r, ngx_buf_t *b,
}


#if (NGX_HTTP_V2 || NGX_HTTP_V3)
ngx_int_t
ngx_http_v23_validate_header(ngx_http_request_t *r, ngx_str_t *name,
ngx_str_t *value)
{
u_char ch;
ngx_uint_t i;
ngx_http_core_srv_conf_t *cscf;

r->invalid_header = 0;

cscf = ngx_http_get_module_srv_conf(r, ngx_http_core_module);

if (name->len < 1) {
ngx_log_error(NGX_LOG_EMERG, r->connection->log, 0,
"BUG: internal zero-length header name");

return NGX_ERROR;
}

for (i = (name->data[0] == ':'); i != name->len; i++) {
ch = name->data[i];

if ((ch >= 'a' && ch <= 'z')
|| (ch == '-')
|| (ch >= '0' && ch <= '9')
|| (ch == '_' && cscf->underscores_in_headers))
{
continue;
}

if (ch <= 0x20 || ch == 0x7f || ch == ':'
|| (ch >= 'A' && ch <= 'Z'))
{
ngx_log_error(NGX_LOG_INFO, r->connection->log, 0,
"client sent invalid header name: \"%V\"",
name);

return NGX_ERROR;
}

r->invalid_header = 1;
}

for (i = 0; i != value->len; i++) {
ch = value->data[i];

if (ch == '\0' || ch == LF || ch == CR) {
ngx_log_error(NGX_LOG_INFO, r->connection->log, 0,
"client sent header \"%V\" with "
"invalid value: \"%V\"",
name, value);

return NGX_ERROR;
}
}

return NGX_OK;
}
#endif


ngx_int_t
ngx_http_parse_uri(ngx_http_request_t *r)
{
Expand Down
57 changes: 2 additions & 55 deletions src/http/v2/ngx_http_v2.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -142,8 +142,6 @@ static ngx_http_v2_out_frame_t *ngx_http_v2_get_frame(
static ngx_int_t ngx_http_v2_frame_handler(ngx_http_v2_connection_t *h2c,
ngx_http_v2_out_frame_t *frame);

static ngx_int_t ngx_http_v2_validate_header(ngx_http_request_t *r,
ngx_http_v2_header_t *header);
static ngx_int_t ngx_http_v2_pseudo_header(ngx_http_request_t *r,
ngx_http_v2_header_t *header);
static ngx_int_t ngx_http_v2_parse_path(ngx_http_request_t *r,
Expand Down Expand Up @@ -1774,7 +1772,8 @@ ngx_http_v2_state_process_header(ngx_http_v2_connection_t *h2c, u_char *pos,
fc = r->connection;

/* TODO Optimization: validate headers while parsing. */
if (ngx_http_v2_validate_header(r, header) != NGX_OK) {
if (ngx_http_v23_validate_header(r, &header->name, &header->value)
!= NGX_OK) {
ngx_http_finalize_request(r, NGX_HTTP_BAD_REQUEST);
goto error;
}
Expand Down Expand Up @@ -3232,58 +3231,6 @@ ngx_http_v2_get_closed_node(ngx_http_v2_connection_t *h2c)
}


static ngx_int_t
ngx_http_v2_validate_header(ngx_http_request_t *r, ngx_http_v2_header_t *header)
{
u_char ch;
ngx_uint_t i;
ngx_http_core_srv_conf_t *cscf;

r->invalid_header = 0;

cscf = ngx_http_get_module_srv_conf(r, ngx_http_core_module);

for (i = (header->name.data[0] == ':'); i != header->name.len; i++) {
ch = header->name.data[i];

if ((ch >= 'a' && ch <= 'z')
|| (ch == '-')
|| (ch >= '0' && ch <= '9')
|| (ch == '_' && cscf->underscores_in_headers))
{
continue;
}

if (ch <= 0x20 || ch == 0x7f || ch == ':'
|| (ch >= 'A' && ch <= 'Z'))
{
ngx_log_error(NGX_LOG_INFO, r->connection->log, 0,
"client sent invalid header name: \"%V\"",
&header->name);

return NGX_ERROR;
}

r->invalid_header = 1;
}

for (i = 0; i != header->value.len; i++) {
ch = header->value.data[i];

if (ch == '\0' || ch == LF || ch == CR) {
ngx_log_error(NGX_LOG_INFO, r->connection->log, 0,
"client sent header \"%V\" with "
"invalid value: \"%V\"",
&header->name, &header->value);

return NGX_ERROR;
}
}

return NGX_OK;
}


static ngx_int_t
ngx_http_v2_pseudo_header(ngx_http_request_t *r, ngx_http_v2_header_t *header)
{
Expand Down
55 changes: 1 addition & 54 deletions src/http/v3/ngx_http_v3_request.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,8 +17,6 @@ static void ngx_http_v3_cleanup_request(void *data);
static void ngx_http_v3_process_request(ngx_event_t *rev);
static ngx_int_t ngx_http_v3_process_header(ngx_http_request_t *r,
ngx_str_t *name, ngx_str_t *value);
static ngx_int_t ngx_http_v3_validate_header(ngx_http_request_t *r,
ngx_str_t *name, ngx_str_t *value);
static ngx_int_t ngx_http_v3_process_pseudo_header(ngx_http_request_t *r,
ngx_str_t *name, ngx_str_t *value);
static ngx_int_t ngx_http_v3_init_pseudo_headers(ngx_http_request_t *r);
Expand Down Expand Up @@ -632,7 +630,7 @@ ngx_http_v3_process_header(ngx_http_request_t *r, ngx_str_t *name,

r->v3_parse->header_limit -= len;

if (ngx_http_v3_validate_header(r, name, value) != NGX_OK) {
if (ngx_http_v23_validate_header(r, name, value) != NGX_OK) {
ngx_http_finalize_request(r, NGX_HTTP_BAD_REQUEST);
return NGX_ERROR;
}
Expand Down Expand Up @@ -692,57 +690,6 @@ ngx_http_v3_process_header(ngx_http_request_t *r, ngx_str_t *name,
}


static ngx_int_t
ngx_http_v3_validate_header(ngx_http_request_t *r, ngx_str_t *name,
ngx_str_t *value)
{
u_char ch;
ngx_uint_t i;
ngx_http_core_srv_conf_t *cscf;

r->invalid_header = 0;

cscf = ngx_http_get_module_srv_conf(r, ngx_http_core_module);

for (i = (name->data[0] == ':'); i != name->len; i++) {
ch = name->data[i];

if ((ch >= 'a' && ch <= 'z')
|| (ch == '-')
|| (ch >= '0' && ch <= '9')
|| (ch == ' 3262 ;_' && cscf->underscores_in_headers))
{
continue;
}

if (ch <= 0x20 || ch == 0x7f || ch == ':'
|| (ch >= 'A' && ch <= 'Z'))
{
ngx_log_error(NGX_LOG_INFO, r->connection->log, 0,
"client sent invalid header name: \"%V\"", name);

return NGX_ERROR;
}

r->invalid_header = 1;
}

for (i = 0; i != value->len; i++) {
ch = value->data[i];

if (ch == '\0' || ch == LF || ch == CR) {
ngx_log_error(NGX_LOG_INFO, r->connection->log, 0,
"client sent header \"%V\" with "
"in 5B2C valid value: \"%V\"", name, value);

return NGX_ERROR;
}
}

return NGX_OK;
}


static ngx_int_t
ngx_http_v3_process_pseudo_header(ngx_http_request_t *r, ngx_str_t *name,
ngx_str_t *value)
Expand Down
0