Opened 6 months ago

Closed 5 months ago

#2209 closed defect (wontfix)

HTTP version 01.1 and 1.01 accepted

Reported by: asta12@… Owned by:
Priority: minor Milestone:
Component: nginx-core Version: 1.19.x
Keywords: Cc: asta12@…
uname -a: Linux asta 5.8.0-1032-gcp #34~20.04.1-Ubuntu SMP Wed May 19 18:19:35 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.18.0 (Ubuntu)
built with OpenSSL 1.1.1f 31 Mar 2020
TLS SNI support enabled
configure arguments: --with-cc-opt='-g -O2 -fdebug-prefix-map=/build/nginx-KTLRnK/nginx-1.18.0=. -fstack-protector-strong -Wformat -Werror=format-security -fPIC -Wdate-time -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now -fPIC' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --modules-path=/usr/lib/nginx/modules --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-compat --with-pcre-jit --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_v2_module --with-http_dav_module --with-http_slice_module --with-threads --with-http_addition_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_image_filter_module=dynamic --with-http_sub_module --with-http_xslt_module=dynamic --with-stream=dynamic --with-stream_ssl_module --with-mail=dynamic --with-mail_ssl_module

Description

Nginx accepts requests with the following versions

00000000000000001.1
1.00000000000000001

How to reproduce

Start nginx with the following config

events {}

http {
    server {
        location / {
            proxy_pass http://localhost:7000/;
        }
    }
}

Start listening on port 7000 using the following command

nc -lvnp 7000

Send the following request to nginx

GET / HTTP/00000000000001.1
Host: example.com
Connection: close

This can be done using the following command

echo -ne "GET / HTTP/00000000000001.1\r\nConnection: close\r\nHost: example.com\r\n\r\n" | nc localhost 80

We see that nginx forwards the following to port 7000

GET / HTTP/1.0
Host: localhost:7000
Connection: close

Additional information

The following ABNF describes the syntax for the HTTP version in a request where DIGIT is a decimal from 0-9.

HTTP-version  = HTTP-name "/" DIGIT "." DIGIT
HTTP-name     = %x48.54.54.50 ; "HTTP", case-sensitive

You can see that only one DIGIT is allowed before and one after the "."

You can read more about it here: https://datatracker.ietf.org/doc/html/rfc7230#section-2.6

Change History (3)

comment:1 by Maxim Dounin, 6 months ago

As you can see from https://datatracker.ietf.org/doc/html/rfc7230#appendix-A.2, this is a change from RFC 2616:

   The HTTP-version ABNF production has been clarified to be case-
   sensitive.  Additionally, version numbers have been restricted to
   single digits, due to the fact that implementations are known to
   handle multi-digit version numbers incorrectly.  (Section 2.6)

Since nginx does support multi-digit versions, the existing support for parsing multi-digit versions wasn't removed. In particular, leading zero are ignored as RFC 2616 requires. While this behaviour accepts http messages not valid per RFC 7230, it is believed to be safe.

If you think that the behaviour worth changing for reasons other than "RFC 7230 syntax says there should be one digit", you may want to provide these reasons.

comment:2 by asta12@…, 5 months ago

No, we don't have any other reason. Thanks for the response!

comment:3 by Maxim Dounin, 5 months ago

Resolution: wontfix
Status: newclosed

Thanks for the feedback. Closing this, since there are no apparent reasons to restrict version parsing from the RFC 2616 syntax to the single-digit syntax introduced in RFC 7230.

Note: See TracTickets for help on using tickets.