]> git.kaiwu.me - nginx.git/commitdiff
Reject HTTP CONNECT requests with body
authorRoman Arutyunyan <arut@nginx.com>
Thu, 2 Jul 2026 11:09:35 +0000 (15:09 +0400)
committerRoman Arutyunyan <arutyunyan.roman@gmail.com>
Wed, 15 Jul 2026 14:37:17 +0000 (18:37 +0400)
As per RFC 9110, Section 9.3.6:

A CONNECT request message does not have content.

Also, as per Section 8.6:

A user agent SHOULD NOT send a Content-Length header field when the
request message does not contain content and the method semantics do
not anticipate such data.

src/http/ngx_http_request.c

index a5cd44dcc9e4094f7b8400cf72fd2af3b7845f7e..2859b541907882658f5fc7321137613ed2e84027 100644 (file)
@@ -2094,13 +2094,20 @@ ngx_http_process_request_header(ngx_http_request_t *r)
 
     cscf = ngx_http_get_module_srv_conf(r, ngx_http_core_module);
 
-    if (r->method == NGX_HTTP_CONNECT
-        && (r->http_version != NGX_HTTP_VERSION_11 || !cscf->allow_connect))
-    {
-        ngx_log_error(NGX_LOG_INFO, r->connection->log, 0,
-                      "client sent CONNECT method");
-        ngx_http_finalize_request(r, NGX_HTTP_NOT_ALLOWED);
-        return NGX_ERROR;
+    if (r->method == NGX_HTTP_CONNECT) {
+        if (r->http_version != NGX_HTTP_VERSION_11 || !cscf->allow_connect) {
+            ngx_log_error(NGX_LOG_INFO, r->connection->log, 0,
+                          "client sent CONNECT method");
+            ngx_http_finalize_request(r, NGX_HTTP_NOT_ALLOWED);
+            return NGX_ERROR;
+        }
+
+        if (r->headers_in.content_length_n > 0 || r->headers_in.chunked) {
+            ngx_log_error(NGX_LOG_INFO, r->connection->log, 0,
+                          "client sent CONNECT request with body");
+            ngx_http_finalize_request(r, NGX_HTTP_BAD_REQUEST);
+            return NGX_ERROR;
+        }
     }
 
     if (r->method == NGX_HTTP_TRACE) {