http response header ends with \0x00\0x0d\0x0a cause 502

[beikezcs@…]

we use nginx as reverse proxy,recently,we has a website, when navigate with IE8,we get 502,but if navigate directly to source ip,we get 200。after use tcpdump,we found that one of the reponse header ends with \0x00\0x0d\0x0a,and when nginx parse response header in ngx_http_parse_header_line,when parsr header value,if nginx see '\0', it return NGX_HTTP_PARSE_INVALID_HEADER,and 502 at the end。

i don't know if this is a bug, but as web browser show everything ok,i think nginx should work well too.

[beikezcs@…]

tcp dump result

[Maxim Dounin]

This is intentional. NUL bytes are not allowed by nginx in headers, as they can be used in various attacks. It is also illegal per HTTP specification.

[beikezcs@…]

i think, NUL bytes attacks are used in http request, when handle http reponse,we have no need to special handle '\0'.can you give some examples?

[beikezcs@…]

Replying to mdounin:

This is intentional. NUL bytes are not allowed by nginx in headers, as they can be used in various attacks. It is also illegal per HTTP specification.

i think, NUL bytes attacks are used in http request, when handle http reponse,we have no need to special handle '\0'.can you give some examples?

[Valentin V. Bartenev]

Replying to beikezcs@…:

i think, NUL bytes attacks are used in http request, when handle http reponse,we have no need to special handle '\0'.can you give some examples?

There is an example of successful NUL attack on nginx itself: ​http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1180