diff options
| author | Maxim Dounin <mdounin@mdounin.ru> | 2021-06-28 18:01:24 +0300 |
|---|---|---|
| committer | Maxim Dounin <mdounin@mdounin.ru> | 2021-06-28 18:01:24 +0300 |
| commit | 07c63a42640e59bf5e3399cfdafd498b61671780 (patch) | |
| tree | cea4cff54ed65fb77fa1bebdc94903100299c26f /src/http/ngx_http_request.c | |
| parent | 7587778a33bea0ce6f203a8c4de18e33f38b9582 (diff) | |
| download | nginx-07c63a42640e59bf5e3399cfdafd498b61671780.tar.gz nginx-07c63a42640e59bf5e3399cfdafd498b61671780.zip | |
Disabled control characters in the Host header.
Control characters (0x00-0x1f, 0x7f) and space are not expected to appear
in the Host header. Requests with such characters in the Host header are
now unconditionally rejected.
Diffstat (limited to 'src/http/ngx_http_request.c')
| -rw-r--r-- | src/http/ngx_http_request.c | 7 |
1 files changed, 4 insertions, 3 deletions
diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c index 2e7c30fb6..2d1845d02 100644 --- a/src/http/ngx_http_request.c +++ b/src/http/ngx_http_request.c @@ -2176,15 +2176,16 @@ ngx_http_validate_host(ngx_str_t *host, ngx_pool_t *pool, ngx_uint_t alloc) } break; - case '\0': - return NGX_DECLINED; - default: if (ngx_path_separator(ch)) { return NGX_DECLINED; } + if (ch <= 0x20 || ch == 0x7f) { + return NGX_DECLINED; + } + if (ch >= 'A' && ch <= 'Z') { alloc = 1; } |