From f475868196d2f907768bdfdeec0878ed2702cd0d Mon Sep 17 00:00:00 2001 From: Roman Arutyunyan Date: Thu, 2 Jul 2026 15:09:35 +0400 Subject: [PATCH] Reject HTTP CONNECT requests with body As per RFC 9110, Section 9.3.6: A CONNECT request message does not have content. Also, as per Section 8.6: A user agent SHOULD NOT send a Content-Length header field when the request message does not contain content and the method semantics do not anticipate such data. --- src/http/ngx_http_request.c | 21 ++++++++++++++------- 1 file changed, 14 insertions(+), 7 deletions(-) diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c index a5cd44dcc..2859b5419 100644 --- a/src/http/ngx_http_request.c +++ b/src/http/ngx_http_request.c @@ -2094,13 +2094,20 @@ ngx_http_process_request_header(ngx_http_request_t *r) cscf = ngx_http_get_module_srv_conf(r, ngx_http_core_module); - if (r->method == NGX_HTTP_CONNECT - && (r->http_version != NGX_HTTP_VERSION_11 || !cscf->allow_connect)) - { - ngx_log_error(NGX_LOG_INFO, r->connection->log, 0, - "client sent CONNECT method"); - ngx_http_finalize_request(r, NGX_HTTP_NOT_ALLOWED); - return NGX_ERROR; + if (r->method == NGX_HTTP_CONNECT) { + if (r->http_version != NGX_HTTP_VERSION_11 || !cscf->allow_connect) { + ngx_log_error(NGX_LOG_INFO, r->connection->log, 0, + "client sent CONNECT method"); + ngx_http_finalize_request(r, NGX_HTTP_NOT_ALLOWED); + return NGX_ERROR; + } + + if (r->headers_in.content_length_n > 0 || r->headers_in.chunked) { + ngx_log_error(NGX_LOG_INFO, r->connection->log, 0, + "client sent CONNECT request with body"); + ngx_http_finalize_request(r, NGX_HTTP_BAD_REQUEST); + return NGX_ERROR; + } } if (r->method == NGX_HTTP_TRACE) { -- 2.47.3