Opened 22 months ago
Closed 22 months ago
#2442 closed defect (duplicate)
add_header unsanitized
| Reported by: | Owned by: | ||
|---|---|---|---|
| Priority: | minor | Milestone: | |
| Component: | nginx-module | Version: | 1.23.x |
| Keywords: | ngx_http_headers_module, SSL, HTTP2, HTTP1.1 | Cc: | chipus.htc@… |
| uname -a: | Linux XXXXXXXXXXXXXXX 6.1.8 #4 SMP PREEMPT_DYNAMIC Fri Jan 27 15:33:42 CET 2023 x86_64 x86_64 x86_64 GNU/Linux | ||
| nginx -V: |
nginx version: nginx/1.23.3
built by gcc 12.1.1 20220628 (Red Hat 12.1.1-3) (GCC) built with OpenSSL 3.0.1 14 Dec 2021 TLS SNI support enabled configure arguments: --prefix=/opt/nginx --sbin-path=/opt/nginx/sbin/nginx --conf-path=/opt/nginx/etc/nginx.conf --with-zlib-asm=CPU --with-pcre --with-http_realip_module --with-http_ssl_module --with-http_gzip_static_module --with-http_sub_module --with-file-aio --without-mail_pop3_module --without-mail_imap_module --without-mail_smtp_module --with-http_stub_status_module --with-http_v2_module --with-compat --add-dynamic-module=../ModSecurity-nginx --add-dynamic-module=../ngx_http_geoip2_module |
||
Description
Hi team,
there may be insufficient verification of the correctness of the header name or full header instruction.
In my case, the mistape was sending the wrong header name.
Example: add_header Permissions-Policy" "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), cross-origin-isolated=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(), geolocation=(), gyroscope=(), keyboard-map=(), magnetometer=(), microphone=(), midi=(), navigation-override=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(), usb=(), web-share=(), xr-spatial-tracking=(), clipboard-read=(self), clipboard-write=(self), gamepad=(), speaker-selection=(self), conversion-measurement=(self), focus-without-user-activation=(self), hid=(self), idle-detection=(self), interest-cohort=(self), serial=(self), sync-script=(self), trust-token-redemption=(self), window-placement=(self), vertical-scroll=(self)";
The result:
HTTP2 stream breaks for any clients.
HTTP1.1 breaks for iPhones and may be iMacs
Best regards, Pavlo.
The add_header directive is a low-level directive which makes it possible to return any headers, including ones which are invalid in some protocol versions and rejected by some clients (and even nginx itself). It should be used with care.
Overall, this looks like a duplicate of #2258. Closing as such.