Added CONNECT method rejection.

No valid CONNECT requests are expected to appear within nginx, since it is not a forward proxy. Further, request line parsing will reject proper CONNECT requests anyway, since we don't allow authority-form of request-target. On the other hand, RFC 7230 specifies separate message length rules for CONNECT which we don't support, so make sure to always reject CONNECTs to avoid potential abuse.
author: Maxim Dounin <mdounin@mdounin.ru> 2021-06-28 18:01:04 +0300
committer: Maxim Dounin <mdounin@mdounin.ru> 2021-06-28 18:01:04 +0300
commit: 5f85bb3714a81d158f4d849ad5c61aec2737a9f0 (patch)
tree: 432fbcb511cea5b4f1583e365883af738f8c92d4 /src/http/ngx_http_request.c
parent: d9c1d1bae7ae2c83fb65ca00a47ad6c1199a691e (diff)
download: nginx-5f85bb3714a81d158f4d849ad5c61aec2737a9f0.tar.gz
nginx-5f85bb3714a81d158f4d849ad5c61aec2737a9f0.zip
1 files changed, 7 insertions, 0 deletions
diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c
index b908e2941..5b2613870 100644
--- a/src/http/ngx_http_request.c
+++ b/src/http/ngx_http_request.c
@@ -2006,6 +2006,13 @@ ngx_http_process_request_header(ngx_http_request_t *r)
         }
     }
 
+    if (r->method == NGX_HTTP_CONNECT) {
+        ngx_log_error(NGX_LOG_INFO, r->connection->log, 0,
+                      "client sent CONNECT method");
+        ngx_http_finalize_request(r, NGX_HTTP_NOT_ALLOWED);
+        return NGX_ERROR;
+    }
+
     if (r->method == NGX_HTTP_TRACE) {
         ngx_log_error(NGX_LOG_INFO, r->connection->log, 0,
                       "client sent TRACE method");
author	Maxim Dounin <mdounin@mdounin.ru>	2021-06-28 18:01:04 +0300
committer	Maxim Dounin <mdounin@mdounin.ru>	2021-06-28 18:01:04 +0300
commit	5f85bb3714a81d158f4d849ad5c61aec2737a9f0 (patch)
tree	432fbcb511cea5b4f1583e365883af738f8c92d4 /src/http/ngx_http_request.c
parent	d9c1d1bae7ae2c83fb65ca00a47ad6c1199a691e (diff)
download	nginx-5f85bb3714a81d158f4d849ad5c61aec2737a9f0.tar.gz nginx-5f85bb3714a81d158f4d849ad5c61aec2737a9f0.zip