Opened 4 years ago
Closed 4 years ago
#2050 closed defect (wontfix)
unrecognized method is rejected incorrectly
| Reported by: | Owned by: | ||
|---|---|---|---|
| Priority: | minor | Milestone: | |
| Component: | nginx-core | Version: | 1.19.x |
| Keywords: | Cc: | usadson@… | |
| uname -a: | Linux hidden 5.4.0-48-generic #52-Ubuntu SMP Thu Sep 10 10:58:49 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux | ||
| nginx -V: |
nginx version: nginx/1.19.3
built by gcc 9.3.0 (Ubuntu 9.3.0-10ubuntu2) configure arguments: |
||
Description
Recently I've been working on a HTTP/1.1 conformance tool, and found out that nginx doesn't conform to the RFC 7230 Section 3.1.1.
Example request:
CZPzPoF!fYNR / HTTP/1.1 Host: localhost
The method may seem illegal, but it actually isn't. A method is defined by the RFC as a token, which is one of more tchars:
tchar = "!" / "#" / "$" / "%" / "&" / "'" / "*"
/ "+" / "-" / "." / "^" / "_" / "`" / "|" / "~"
/ DIGIT / ALPHA
The server responds with status-code 400 (Bad Request), which it shouldn't. In the cases where it doens't recognize the method a 501 (Not Implemented) is recommended.
Lines 152 to 154 of src/http/ngx_http_parse.c are the problem:
if ((ch < 'A' || ch > 'Z') && ch != '_' && ch != '-') {
return NGX_HTTP_PARSE_INVALID_METHOD;
}
Note:
See TracTickets
for help on using tickets.
Grammar enforced by nginx for method names is more strict than the one required by RFC 7230. It does not allow anything but ALPHA,
_, and-. This grammar covers all actually used methods. It has nothing to do with unrecognized methods though, as nginx is able to proxy requests with arbitrary methods. There are no plans to allow other characters in method names.