[patch] reject http header without colon (:) in the header name

Maksim Yevmenkin Tue, 07 May 2024 14:33:06 -0700

hello,

it appears that nginx would happily accept http header without colon
(:) in the header name. the patch below tries to address this.


thanks
max


==
--- a/ports/netflix/nginx/files/nginx/src/http/ngx_http_parse.c
+++ b/ports/netflix/nginx/files/nginx/src/http/ngx_http_parse.c
@@ -941,14 +941,14 @@ ngx_http_parse_header_line(ngx_http_request_t
*r, ngx_buf_t *b,
                 r->header_start = p;
                 r->header_end = p;
                 state = sw_almost_done;
-                break;
+                return NGX_HTTP_PARSE_INVALID_HEADER;
             }

             if (ch == LF) {
                 r->header_name_end = p;
                 r->header_start = p;
                 r->header_end = p;
-                goto done;
+                return NGX_HTTP_PARSE_INVALID_HEADER;
             }

             /* IIS may send the duplicate "HTTP/1.1 ..." lines */
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
https://mailman.nginx.org/mailman/listinfo/nginx-devel

[patch] reject http header without colon (:) in the header name

Reply via email to