Opened 23 months ago

Closed 23 months ago

Last modified 23 months ago

#1185 closed defect (wontfix)

http response header ends with \0x00\0x0d\0x0a cause 502

Reported by: beikezcs@… Owned by:
Priority: minor Milestone:
Component: nginx-module Version: 1.9.x
Keywords: Cc:
uname -a: 3.10.0-327.el7.x86_64 #1 SMP Thu Nov 19 22:10:57 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
nginx -V: nginx version: openresty/1.9.7.3

Description

we use nginx as reverse proxy,recently,we has a website, when navigate with IE8,we get 502,but if navigate directly to source ip,we get 200。after use tcpdump,we found that one of the reponse header ends with \0x00\0x0d\0x0a,and when nginx parse response header in ngx_http_parse_header_line,when parsr header value,if nginx see '\0', it return NGX_HTTP_PARSE_INVALID_HEADER,and 502 at the end。

i don't know if this is a bug, but as web browser show everything ok,i think nginx should work well too.

Attachments (1)

nginx.png (49.8 KB) - added by beikezcs@… 23 months ago.
tcp dump result

Download all attachments as: .zip

Change History (5)

Changed 23 months ago by beikezcs@…

tcp dump result

comment:1 follow-up: Changed 23 months ago by mdounin

  • Resolution set to wontfix
  • Status changed from new to closed

This is intentional. NUL bytes are not allowed by nginx in headers, as they can be used in various attacks. It is also illegal per HTTP specification.

comment:2 follow-up: Changed 23 months ago by beikezcs@…

i think, NUL bytes attacks are used in http request, when handle http reponse,we have no need to special handle '\0'.can you give some examples?

comment:3 in reply to: ↑ 1 Changed 23 months ago by beikezcs@…

Replying to mdounin:

This is intentional. NUL bytes are not allowed by nginx in headers, as they can be used in various attacks. It is also illegal per HTTP specification.

i think, NUL bytes attacks are used in http request, when handle http reponse,we have no need to special handle '\0'.can you give some examples?

comment:4 in reply to: ↑ 2 Changed 23 months ago by vbart

Replying to beikezcs@…:

i think, NUL bytes attacks are used in http request, when handle http reponse,we have no need to special handle '\0'.can you give some examples?

There is an example of successful NUL attack on nginx itself: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1180

Note: See TracTickets for help on using tickets.