Opened 4 weeks ago

Closed 4 weeks ago

#2050 closed defect (wontfix)

unrecognized method is rejected incorrectly

Reported by: usadson@… Owned by:
Priority: minor Milestone:
Component: nginx-core Version: 1.19.x
Keywords: Cc: usadson@…
uname -a: Linux hidden 5.4.0-48-generic #52-Ubuntu SMP Thu Sep 10 10:58:49 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.19.3
built by gcc 9.3.0 (Ubuntu 9.3.0-10ubuntu2)
configure arguments:

Description

Recently I've been working on a HTTP/1.1 conformance tool, and found out that nginx doesn't conform to the RFC 7230 Section 3.1.1.

Example request:

CZPzPoF!fYNR / HTTP/1.1
Host: localhost

The method may seem illegal, but it actually isn't. A method is defined by the RFC as a token, which is one of more tchars:

tchar  = "!" / "#" / "$" / "%" / "&" / "'" / "*"
       / "+" / "-" / "." / "^" / "_" / "`" / "|" / "~"
       / DIGIT / ALPHA

The server responds with status-code 400 (Bad Request), which it shouldn't. In the cases where it doens't recognize the method a 501 (Not Implemented) is recommended.

Lines 152 to 154 of src/http/ngx_http_parse.c are the problem:

if ((ch < 'A' || ch > 'Z') && ch != '_' && ch != '-') {
  return NGX_HTTP_PARSE_INVALID_METHOD;
}

Change History (1)

comment:1 by Maxim Dounin, 4 weeks ago

Resolution: wontfix
Status: newclosed

Grammar enforced by nginx for method names is more strict than the one required by RFC 7230. It does not allow anything but ALPHA, _, and -. This grammar covers all actually used methods. It has nothing to do with unrecognized methods though, as nginx is able to proxy requests with arbitrary methods. There are no plans to allow other characters in method names.

Note: See TracTickets for help on using tickets.