From 4de1b092fbaba5477a94bc7ac422e4fb67c7ced0 Mon Sep 17 00:00:00 2001 From: Demi Marie Obenour Date: Wed, 26 Mar 2025 23:34:29 -0400 Subject: [PATCH] HTTP: Reject trailers involved in framing RFC9112 forbids including Content-Length, Transfer-Encoding, or Upgrade in the trailer section. If they were (invalidly) folded into a header by upstream code, it would allow HTTP request smuggling. --- src/http/ngx_http_parse.c | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/src/http/ngx_http_parse.c b/src/http/ngx_http_parse.c index f577c5468..b4fc241d4 100644 --- a/src/http/ngx_http_parse.c +++ b/src/http/ngx_http_parse.c @@ -2433,6 +2433,8 @@ before_semi: } if (ngx_http_token_char(ch)) { state = sw_trailer_name; + r->lowcase_index = 1; + r->lowcase_header[0] = (ch | 0x20); break; } goto invalid; @@ -2445,9 +2447,28 @@ before_semi: case sw_trailer_name: if (ngx_http_token_char(ch)) { + if (r->lowcase_index < NGX_HTTP_LC_HEADER_LEN) { + /* ASCII uppercase letters become the lowercase ones. + * '-' is unchanged. */ + r->lowcase_header[r->lowcase_index++] = (ch | 0x20); + } break; } if (ch == ':') { + switch (r->lowcase_index) { +#define X(v) \ + case sizeof(v "") - 1: \ + if (memcmp(r->lowcase_header, v, r->lowcase_index) == 0) { \ + goto invalid; \ + } \ + break + X("transfer-encoding"); + X("content-length"); + X("upgrade"); +#undef X + default: + break; + } state = sw_trailer_value; break; }