]> git.kaiwu.me - nginx.git/commitdiff
Require ":authority" or "Host" in HTTP/3 and HTTP/2 requests.
authorRoman Arutyunyan <arut@nginx.com>
Fri, 29 May 2020 09:42:23 +0000 (12:42 +0300)
committerRoman Arutyunyan <arut@nginx.com>
Fri, 29 May 2020 09:42:23 +0000 (12:42 +0300)
Also, if both are present, require that they have the same value.  These
requirements are specified in HTTP/3 draft 28.

Current implementation of HTTP/2 treats ":authority" and "Host"
interchangeably.  New checks only make sure at least one of these values is
present in the request.  A similar check existed earlier and was limited only
to HTTP/1.1 in 38c0898b6df7.

src/http/ngx_http_request.c

index 3e6fce67651f29a9a69c18fead54175a10506368..23b28c24319a0adbcab3bd96d9efdd73ed12eb58 100644 (file)
@@ -2065,6 +2065,31 @@ ngx_http_process_request_header(ngx_http_request_t *r)
         return NGX_ERROR;
     }
 
+    if (r->http_version >= NGX_HTTP_VERSION_20) {
+        if (r->headers_in.server.len == 0) {
+            ngx_log_error(NGX_LOG_INFO, r->connection->log, 0,
+                          "client sent HTTP request without "
+                          "\":authority\" or \"Host\" header");
+            ngx_http_finalize_request(r, NGX_HTTP_BAD_REQUEST);
+            return NGX_ERROR;
+        }
+
+        if (r->headers_in.host) {
+            if (r->headers_in.host->value.len != r->headers_in.server.len
+                || ngx_memcmp(r->headers_in.host->value.data,
+                              r->headers_in.server.data,
+                              r->headers_in.server.len)
+                   != 0)
+            {
+                ngx_log_error(NGX_LOG_INFO, r->connection->log, 0,
+                              "client sent HTTP request with different "
+                              "values of \":authority\" and \"Host\" headers");
+                ngx_http_finalize_request(r, NGX_HTTP_BAD_REQUEST);
+                return NGX_ERROR;
+            }
+        }
+    }
+
     if (r->headers_in.content_length) {
         r->headers_in.content_length_n =
                             ngx_atoof(r->headers_in.content_length->value.data,