#2442 closed defect (duplicate)

add_header unsanitized

Reported by: chipus.htc@… Owned by:
Priority: minor Milestone:
Component: nginx-module Version: 1.23.x
Keywords: ngx_http_headers_module, SSL, HTTP2, HTTP1.1 Cc: chipus.htc@…
uname -a: Linux XXXXXXXXXXXXXXX 6.1.8 #4 SMP PREEMPT_DYNAMIC Fri Jan 27 15:33:42 CET 2023 x86_64 x86_64 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.23.3
built by gcc 12.1.1 20220628 (Red Hat 12.1.1-3) (GCC)
built with OpenSSL 3.0.1 14 Dec 2021
TLS SNI support enabled
configure arguments: --prefix=/opt/nginx --sbin-path=/opt/nginx/sbin/nginx --conf-path=/opt/nginx/etc/nginx.conf --with-zlib-asm=CPU --with-pcre --with-http_realip_module --with-http_ssl_module --with-http_gzip_static_module --with-http_sub_module --with-file-aio --without-mail_pop3_module --without-mail_imap_module --without-mail_smtp_module --with-http_stub_status_module --with-http_v2_module --with-compat --add-dynamic-module=../ModSecurity-nginx --add-dynamic-module=../ngx_http_geoip2_module


Hi team,

there may be insufficient verification of the correctness of the header name or full header instruction.

In my case, the mistape was sending the wrong header name.
Example: add_header Permissions-Policy" "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), cross-origin-isolated=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(), geolocation=(), gyroscope=(), keyboard-map=(), magnetometer=(), microphone=(), midi=(), navigation-override=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(), usb=(), web-share=(), xr-spatial-tracking=(), clipboard-read=(self), clipboard-write=(self), gamepad=(), speaker-selection=(self), conversion-measurement=(self), focus-without-user-activation=(self), hid=(self), idle-detection=(self), interest-cohort=(self), serial=(self), sync-script=(self), trust-token-redemption=(self), window-placement=(self), vertical-scroll=(self)";

The result:
HTTP2 stream breaks for any clients.
HTTP1.1 breaks for iPhones and may be iMacs

Best regards, Pavlo.

Change History (1)

comment:1 by Maxim Dounin, 15 months ago

Resolution: duplicate
Status: newclosed

The add_header directive is a low-level directive which makes it possible to return any headers, including ones which are invalid in some protocol versions and rejected by some clients (and even nginx itself). It should be used with care.

Overall, this looks like a duplicate of #2258. Closing as such.

Note: See TracTickets for help on using tickets.