commit 2e708b190e0daaa5d685f1e00c412baf814ff9dd
author Sergey Kandaurov <pluknet@nginx.com> Mon Aug 09 18:12:12 2021 +0300
committer Sergey Kandaurov <pluknet@nginx.com> Mon Aug 09 18:12:12 2021 +0300
tree c780c95190f6db507cf676420d9c4c83cfe8f108
parent e4c04f933b737ca49114058c12c5ab37d667f87d

Disabled HTTP/1.0 requests with Transfer-Encoding.

The latest HTTP/1.1 draft describes Transfer-Encoding in HTTP/1.0 as having
potentially faulty message framing as that could have been forwarded without
handling of the chunked encoding, and forbids processing subsequest requests
over that connection: https://github.com/httpwg/http-core/issues/879.

While handling of such requests is permitted, the most secure approach seems
to reject them.

src/http/ngx_http_request.c

diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c
index 2d1845d..bf931bf 100644
--- a/src/http/ngx_http_request.c
+++ b/src/http/ngx_http_request.c
@@ -1983,6 +1983,14 @@
     }
 
     if (r->headers_in.transfer_encoding) {
+        if (r->http_version < NGX_HTTP_VERSION_11) {
+            ngx_log_error(NGX_LOG_INFO, r->connection->log, 0,
+                          "client sent HTTP/1.0 request with "
+                          "\"Transfer-Encoding\" header");
+            ngx_http_finalize_request(r, NGX_HTTP_BAD_REQUEST);
+            return NGX_ERROR;
+        }
+
         if (r->headers_in.transfer_encoding->value.len == 7
             && ngx_strncasecmp(r->headers_in.transfer_encoding->value.data,
                                (u_char *) "chunked", 7) == 0)