From: Roman Arutyunyan Date: Thu, 2 Jul 2026 11:09:35 +0000 (+0400) Subject: Reject HTTP CONNECT requests with body X-Git-Tag: release-1.31.3~9 X-Git-Url: http://git.kaiwu.me/http/$%7BGITURL%7D/doc/static/gitweb.js?a=commitdiff_plain;h=f475868196d2f907768bdfdeec0878ed2702cd0d;p=nginx.git Reject HTTP CONNECT requests with body As per RFC 9110, Section 9.3.6: A CONNECT request message does not have content. Also, as per Section 8.6: A user agent SHOULD NOT send a Content-Length header field when the request message does not contain content and the method semantics do not anticipate such data. --- diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c index a5cd44dcc..2859b5419 100644 --- a/src/http/ngx_http_request.c +++ b/src/http/ngx_http_request.c @@ -2094,13 +2094,20 @@ ngx_http_process_request_header(ngx_http_request_t *r) cscf = ngx_http_get_module_srv_conf(r, ngx_http_core_module); - if (r->method == NGX_HTTP_CONNECT - && (r->http_version != NGX_HTTP_VERSION_11 || !cscf->allow_connect)) - { - ngx_log_error(NGX_LOG_INFO, r->connection->log, 0, - "client sent CONNECT method"); - ngx_http_finalize_request(r, NGX_HTTP_NOT_ALLOWED); - return NGX_ERROR; + if (r->method == NGX_HTTP_CONNECT) { + if (r->http_version != NGX_HTTP_VERSION_11 || !cscf->allow_connect) { + ngx_log_error(NGX_LOG_INFO, r->connection->log, 0, + "client sent CONNECT method"); + ngx_http_finalize_request(r, NGX_HTTP_NOT_ALLOWED); + return NGX_ERROR; + } + + if (r->headers_in.content_length_n > 0 || r->headers_in.chunked) { + ngx_log_error(NGX_LOG_INFO, r->connection->log, 0, + "client sent CONNECT request with body"); + ngx_http_finalize_request(r, NGX_HTTP_BAD_REQUEST); + return NGX_ERROR; + } } if (r->method == NGX_HTTP_TRACE) {