From: Roman Arutyunyan Date: Fri, 29 May 2020 09:42:23 +0000 (+0300) Subject: Require ":authority" or "Host" in HTTP/3 and HTTP/2 requests. X-Git-Tag: release-1.25.0~4^2~689 X-Git-Url: http://git.kaiwu.me/postgresql/log/contrib/postgres_fdw/static/gitweb.js?a=commitdiff_plain;h=22297afd7924d00440105bc440aa4f67fde380fe;p=nginx.git Require ":authority" or "Host" in HTTP/3 and HTTP/2 requests. Also, if both are present, require that they have the same value. These requirements are specified in HTTP/3 draft 28. Current implementation of HTTP/2 treats ":authority" and "Host" interchangeably. New checks only make sure at least one of these values is present in the request. A similar check existed earlier and was limited only to HTTP/1.1 in 38c0898b6df7. --- diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c index 3e6fce676..23b28c243 100644 --- a/src/http/ngx_http_request.c +++ b/src/http/ngx_http_request.c @@ -2065,6 +2065,31 @@ ngx_http_process_request_header(ngx_http_request_t *r) return NGX_ERROR; } + if (r->http_version >= NGX_HTTP_VERSION_20) { + if (r->headers_in.server.len == 0) { + ngx_log_error(NGX_LOG_INFO, r->connection->log, 0, + "client sent HTTP request without " + "\":authority\" or \"Host\" header"); + ngx_http_finalize_request(r, NGX_HTTP_BAD_REQUEST); + return NGX_ERROR; + } + + if (r->headers_in.host) { + if (r->headers_in.host->value.len != r->headers_in.server.len + || ngx_memcmp(r->headers_in.host->value.data, + r->headers_in.server.data, + r->headers_in.server.len) + != 0) + { + ngx_log_error(NGX_LOG_INFO, r->connection->log, 0, + "client sent HTTP request with different " + "values of \":authority\" and \"Host\" headers"); + ngx_http_finalize_request(r, NGX_HTTP_BAD_REQUEST); + return NGX_ERROR; + } + } + } + if (r->headers_in.content_length) { r->headers_in.content_length_n = ngx_atoof(r->headers_in.content_length->value.data,