Added CONNECT method rejection.
No valid CONNECT requests are expected to appear within nginx, since it
is not a forward proxy. Further, request line parsing will reject
proper CONNECT requests anyway, since we don't allow authority-form of
request-target. On the other hand, RFC 7230 specifies separate message
length rules for CONNECT which we don't support, so make sure to always
reject CONNECTs to avoid potential abuse.
diff --git a/src/http/ngx_http_parse.c b/src/http/ngx_http_parse.c
index 20ad89a..71fa3c7 100644
--- a/src/http/ngx_http_parse.c
+++ b/src/http/ngx_http_parse.c
@@ -246,6 +246,11 @@
r->method = NGX_HTTP_OPTIONS;
}
+ if (ngx_str7_cmp(m, 'C', 'O', 'N', 'N', 'E', 'C', 'T', ' '))
+ {
+ r->method = NGX_HTTP_CONNECT;
+ }
+
break;
case 8:
diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c
index b908e29..5b26138 100644
--- a/src/http/ngx_http_request.c
+++ b/src/http/ngx_http_request.c
@@ -2006,6 +2006,13 @@
}
}
+ if (r->method == NGX_HTTP_CONNECT) {
+ ngx_log_error(NGX_LOG_INFO, r->connection->log, 0,
+ "client sent CONNECT method");
+ ngx_http_finalize_request(r, NGX_HTTP_NOT_ALLOWED);
+ return NGX_ERROR;
+ }
+
if (r->method == NGX_HTTP_TRACE) {
ngx_log_error(NGX_LOG_INFO, r->connection->log, 0,
"client sent TRACE method");
diff --git a/src/http/ngx_http_request.h b/src/http/ngx_http_request.h
index 6dfb4a4..fa4d5f9 100644
--- a/src/http/ngx_http_request.h
+++ b/src/http/ngx_http_request.h
@@ -25,22 +25,23 @@
#define NGX_HTTP_VERSION_11 1001
#define NGX_HTTP_VERSION_20 2000
-#define NGX_HTTP_UNKNOWN 0x0001
-#define NGX_HTTP_GET 0x0002
-#define NGX_HTTP_HEAD 0x0004
-#define NGX_HTTP_POST 0x0008
-#define NGX_HTTP_PUT 0x0010
-#define NGX_HTTP_DELETE 0x0020
-#define NGX_HTTP_MKCOL 0x0040
-#define NGX_HTTP_COPY 0x0080
-#define NGX_HTTP_MOVE 0x0100
-#define NGX_HTTP_OPTIONS 0x0200
-#define NGX_HTTP_PROPFIND 0x0400
-#define NGX_HTTP_PROPPATCH 0x0800
-#define NGX_HTTP_LOCK 0x1000
-#define NGX_HTTP_UNLOCK 0x2000
-#define NGX_HTTP_PATCH 0x4000
-#define NGX_HTTP_TRACE 0x8000
+#define NGX_HTTP_UNKNOWN 0x00000001
+#define NGX_HTTP_GET 0x00000002
+#define NGX_HTTP_HEAD 0x00000004
+#define NGX_HTTP_POST 0x00000008
+#define NGX_HTTP_PUT 0x00000010
+#define NGX_HTTP_DELETE 0x00000020
+#define NGX_HTTP_MKCOL 0x00000040
+#define NGX_HTTP_COPY 0x00000080
+#define NGX_HTTP_MOVE 0x00000100
+#define NGX_HTTP_OPTIONS 0x00000200
+#define NGX_HTTP_PROPFIND 0x00000400
+#define NGX_HTTP_PROPPATCH 0x00000800
+#define NGX_HTTP_LOCK 0x00001000
+#define NGX_HTTP_UNLOCK 0x00002000
+#define NGX_HTTP_PATCH 0x00004000
+#define NGX_HTTP_TRACE 0x00008000
+#define NGX_HTTP_CONNECT 0x00010000
#define NGX_HTTP_CONNECTION_CLOSE 1
#define NGX_HTTP_CONNECTION_KEEP_ALIVE 2
diff --git a/src/http/v2/ngx_http_v2.c b/src/http/v2/ngx_http_v2.c
index 3611a2e..423667d 100644
--- a/src/http/v2/ngx_http_v2.c
+++ b/src/http/v2/ngx_http_v2.c
@@ -3606,7 +3606,8 @@
{ 4, "LOCK", NGX_HTTP_LOCK },
{ 6, "UNLOCK", NGX_HTTP_UNLOCK },
{ 5, "PATCH", NGX_HTTP_PATCH },
- { 5, "TRACE", NGX_HTTP_TRACE }
+ { 5, "TRACE", NGX_HTTP_TRACE },
+ { 7, "CONNECT", NGX_HTTP_CONNECT }
}, *test;
if (r->method_name.len) {