Welcome! Log In Create A New Profile

[nginx] Disabled control characters in the Host header.

Forum List Message List New Topic Print View

Maxim Dounin

June 28, 2021 02:38PM

details: https://hg.nginx.org/nginx/rev/e0fdd75871e4
branches:
changeset: 7885:e0fdd75871e4
user: Maxim Dounin <mdounin@mdounin.ru>
date: Mon Jun 28 18:01:24 2021 +0300
description:
Disabled control characters in the Host header.

Control characters (0x00-0x1f, 0x7f) and space are not expected to appear
in the Host header. Requests with such characters in the Host header are
now unconditionally rejected.

diffstat:

src/http/ngx_http_request.c | 7 ++++---
1 files changed, 4 insertions(+), 3 deletions(-)

diffs (23 lines):

diff -r b87b7092cedb -r e0fdd75871e4 src/http/ngx_http_request.c
--- a/src/http/ngx_http_request.c Mon Jun 28 18:01:20 2021 +0300
+++ b/src/http/ngx_http_request.c Mon Jun 28 18:01:24 2021 +0300
@@ -2176,15 +2176,16 @@ ngx_http_validate_host(ngx_str_t *host,
}
break;

- case '\0':
- return NGX_DECLINED;
-
default:

if (ngx_path_separator(ch)) {
return NGX_DECLINED;
}

+ if (ch <= 0x20 || ch == 0x7f) {
+ return NGX_DECLINED;
+ }
+
if (ch >= 'A' && ch <= 'Z') {
alloc = 1;
}
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

Reply Quote

RSS

Subject	Author	Views	Posted
[nginx] Disabled control characters in the Host header.	Maxim Dounin	371	June 28, 2021 02:38PM

Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 241

Record Number of Users: 8 on April 13, 2023

Record Number of Guests: 421 on December 02, 2018