# HG changeset patch
# User Maxim Dounin <mdounin@mdounin.ru>
# Date 1650492336 -10800
# Thu Apr 21 01:05:36 2022 +0300
# Node ID ab424b5e32405aeec54ccdfe38e9408209209e0a
# Parent b110c54778e8f6af3ea402c0838a4f289dcd813e
Upstream: header handlers can now return parsing errors.
With this change, duplicate Content-Length and Transfer-Encoding headers
are now rejected. Further, responses with invalid Content-Length or
Transfer-Encoding headers are now rejected, as well as responses with both
Content-Length and Transfer-Encoding.
diff --git a/src/http/modules/ngx_http_fastcgi_module.c b/src/http/modules/ngx_http_fastcgi_module.c
--- a/src/http/modules/ngx_http_fastcgi_module.c
+++ b/src/http/modules/ngx_http_fastcgi_module.c
@@ -2007,8 +2007,12 @@ ngx_http_fastcgi_process_header(ngx_http
hh = ngx_hash_find(&umcf->headers_in_hash, h->hash,
h->lowcase_key, h->key.len);
- if (hh && hh->handler(r, h, hh->offset) != NGX_OK) {
- return NGX_ERROR;
+ if (hh) {
+ rc = hh->handler(r, h, hh->offset);
+
+ if (rc != NGX_OK) {
+ return rc;
+ }
}
ngx_log_debug2(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
diff --git a/src/http/modules/ngx_http_grpc_module.c b/src/http/modules/ngx_http_grpc_module.c
--- a/src/http/modules/ngx_http_grpc_module.c
+++ b/src/http/modules/ngx_http_grpc_module.c
@@ -1891,8 +1891,12 @@ ngx_http_grpc_process_header(ngx_http_re
hh = ngx_hash_find(&umcf->headers_in_hash, h->hash,
h->lowcase_key, h->key.len);
- if (hh && hh->handler(r, h, hh->offset) != NGX_OK) {
- return NGX_ERROR;
+ if (hh) {
+ rc = hh->handler(r, h, hh->offset);
+
+ if (rc != NGX_OK) {
+ return rc;
+ }
}
continue;
diff --git a/src/http/modules/ngx_http_proxy_module.c b/src/http/modules/ngx_http_proxy_module.c
--- a/src/http/modules/ngx_http_proxy_module.c
+++ b/src/http/modules/ngx_http_proxy_module.c
@@ -1930,8 +1930,12 @@ ngx_http_proxy_process_header(ngx_http_r
hh = ngx_hash_find(&umcf->headers_in_hash, h->hash,
h->lowcase_key, h->key.len);
- if (hh && hh->handler(r, h, hh->offset) != NGX_OK) {
- return NGX_ERROR;
+ if (hh) {
+ rc = hh->handler(r, h, hh->offset);
+
+ if (rc != NGX_OK) {
+ return rc;
+ }
}
ngx_log_debug2(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
diff --git a/src/http/modules/ngx_http_scgi_module.c b/src/http/modules/ngx_http_scgi_module.c
--- a/src/http/modules/ngx_http_scgi_module.c
+++ b/src/http/modules/ngx_http_scgi_module.c
@@ -1114,8 +1114,12 @@ ngx_http_scgi_process_header(ngx_http_re
hh = ngx_hash_find(&umcf->headers_in_hash, h->hash,
h->lowcase_key, h->key.len);
- if (hh && hh->handler(r, h, hh->offset) != NGX_OK) {
- return NGX_ERROR;
+ if (hh) {
+ rc = hh->handler(r, h, hh->offset);
+
+ if (rc != NGX_OK) {
+ return rc;
+ }
}
ngx_log_debug2(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
diff --git a/src/http/modules/ngx_http_uwsgi_module.c b/src/http/modules/ngx_http_uwsgi_module.c
--- a/src/http/modules/ngx_http_uwsgi_module.c
+++ b/src/http/modules/ngx_http_uwsgi_module.c
@@ -1340,8 +1340,12 @@ ngx_http_uwsgi_process_header(ngx_http_r
hh = ngx_hash_find(&umcf->headers_in_hash, h->hash,
h->lowcase_key, h->key.len);
- if (hh && hh->handler(r, h, hh->offset) != NGX_OK) {
- return NGX_ERROR;
+ if (hh) {
+ rc = hh->handler(r, h, hh->offset);
+
+ if (rc != NGX_OK) {
+ return rc;
+ }
}
ngx_log_debug2(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
diff --git a/src/http/ngx_http_upstream.c b/src/http/ngx_http_upstream.c
--- a/src/http/ngx_http_upstream.c
+++ b/src/http/ngx_http_upstream.c
@@ -4633,10 +4633,34 @@ ngx_http_upstream_process_content_length
u = r->upstream;
+ if (u->headers_in.content_length) {
+ ngx_log_error(NGX_LOG_ERR, r->connection->log, 0,
+ "upstream sent duplicate header line: \"%V: %V\", "
+ "previous value: \"%V: %V\"",
+ &h->key, &h->value,
+ &u->headers_in.content_length->key,
+ &u->headers_in.content_length->value);
+ return NGX_HTTP_UPSTREAM_INVALID_HEADER;
+ }
+
+ if (u->headers_in.transfer_encoding) {
+ ngx_log_error(NGX_LOG_ERR, r->connection->log, 0,
+ "upstream sent \"Content-Length\" and "
+ "\"Transfer-Encoding\" headers at the same time");
+ return NGX_HTTP_UPSTREAM_INVALID_HEADER;
+ }
+
h->next = NULL;
u->headers_in.content_length = h;
u->headers_in.content_length_n = ngx_atoof(h->value.data, h->value.len);
+ if (u->headers_in.content_length_n == NGX_ERROR) {
+ ngx_log_error(NGX_LOG_ERR, r->connection->log, 0,
+ "upstream sent invalid \"Content-Length\" header: "
+ "\"%V: %V\"", &h->key, &h->value);
+ return NGX_HTTP_UPSTREAM_INVALID_HEADER;
+ }
+
return NGX_OK;
}
@@ -5021,14 +5045,37 @@ ngx_http_upstream_process_transfer_encod
ngx_http_upstream_t *u;
u = r->upstream;
+
+ if (u->headers_in.transfer_encoding) {
+ ngx_log_error(NGX_LOG_ERR, r->connection->log, 0,
+ "upstream sent duplicate header line: \"%V: %V\", "
+ "previous value: \"%V: %V\"",
+ &h->key, &h->value,
+ &u->headers_in.transfer_encoding->key,
+ &u->headers_in.transfer_encoding->value);
+ return NGX_HTTP_UPSTREAM_INVALID_HEADER;
+ }
+
+ if (u->headers_in.content_length) {
+ ngx_log_error(NGX_LOG_ERR, r->connection->log, 0,
+ "upstream sent \"Content-Length\" and "
+ "\"Transfer-Encoding\" headers at the same time");
+ return NGX_HTTP_UPSTREAM_INVALID_HEADER;
+ }
+
u->headers_in.transfer_encoding = h;
h->next = NULL;
- if (ngx_strlcasestrn(h->value.data, h->value.data + h->value.len,
- (u_char *) "chunked", 7 - 1)
- != NULL)
+ if (h->value.len == 7
+ && ngx_strncasecmp(h->value.data, (u_char *) "chunked", 7) == 0)
{
u->headers_in.chunked = 1;
+
+ } else {
+ ngx_log_error(NGX_LOG_ERR, r->connection->log, 0,
+ "upstream sent unknown \"Transfer-Encoding\": \"%V\"",
+ &h->value);
+ return NGX_HTTP_UPSTREAM_INVALID_HEADER;
}
return NGX_OK;
_______________________________________________
nginx-devel mailing list -- nginx-devel@nginx.org
To unsubscribe send an email to nginx-devel-leave@nginx.org