HTTP: Reject trailers involved in framing

RFC9112 forbids including Content-Length, Transfer-Encoding, or Upgrade in the trailer section. If they were (invalidly) folded into a header by upstream code, it would allow HTTP request smuggling.
2026-05-13 09:36:42 +00:00 · 2025-03-26 23:34:29 -04:00 · 2025-03-26 23:34:29 -04:00 · 4de1b092fb
commit 4de1b092fb
parent 99a8082e90
1 changed files with 21 additions and 0 deletions
--- a/src/http/ngx_http_parse.c
+++ b/src/http/ngx_http_parse.c
@ -2433,6 +2433,8 @@ before_semi:
            }
            if (ngx_http_token_char(ch)) {
                state = sw_trailer_name;
+                r->lowcase_index = 1;
+                r->lowcase_header[0] = (ch | 0x20);
                break;
            }
            goto invalid;
@ -2445,9 +2447,28 @@ before_semi:

        case sw_trailer_name:
            if (ngx_http_token_char(ch)) {
+                if (r->lowcase_index < NGX_HTTP_LC_HEADER_LEN) {
+                    /* ASCII uppercase letters become the lowercase ones.
+                     * '-' is unchanged. */
+                    r->lowcase_header[r->lowcase_index++] = (ch | 0x20);
+                }
                break;
            }
            if (ch == ':') {
+                switch (r->lowcase_index) {
+#define X(v)                                                                   \
+                case sizeof(v "") - 1:                                         \
+                    if (memcmp(r->lowcase_header, v, r->lowcase_index) == 0) { \
+                        goto invalid;                                          \
+                    }                                                          \
+                    break
+                X("transfer-encoding");
+                X("content-length");
+                X("upgrade");
+#undef X
+                default:
+                    break;
+                }
                state = sw_trailer_value;
                break;
            }