Opened 5 months ago

Closed 5 months ago

#2665 closed defect (wontfix)

Nginx cannot properly process requests with a tab after the colon in a host header

Reported by: kenballus@… Owned by:
Priority: minor Milestone:
Component: nginx-core Version:
Keywords: Cc:
uname -a: Linux 60ad06590a95 6.9.7-arch1-1 #1 SMP PREEMPT_DYNAMIC Fri, 28 Jun 2024 04:32:50 +0000 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.27.0
built by clang 17.0.6 (12)
configure arguments: --with-cc=/usr/local/bin/afl-cc --with-cc-opt=-fsanitize=address --with-ld-opt=-fsanitize=address

Description

When Nginx receives a request with a tab character ('\x09') after the colon in the Host header field, it responds 400. This is incorrect behavior because the grammar in the HTTP RFCs specifies that any number of HTAB and SP bytes (tabs and spaces) are permitted after the colon in a header field line. I checked 27 other implementations of HTTP, and they all implement this correctly (i.e., they ignore the tab).

To see for yourself, try sending Nginx the following request:

GET / HTTP/1.1\r\n
Host:\twhatever\r\n
\r\n

It will respond 400. If you change the tab to a space, then it will respond 200.

Change History (1)

comment:1 by Roman Arutyunyan, 5 months ago

Resolution: wontfix
Status: newclosed

Duplicate of #1752.

Note: See TracTickets for help on using tickets.