Opened 2 months ago
Closed 2 months ago
#2665 closed defect (wontfix)
Nginx cannot properly process requests with a tab after the colon in a host header
| Reported by: | Owned by: | ||
|---|---|---|---|
| Priority: | minor | Milestone: | |
| Component: | nginx-core | Version: | |
| Keywords: | Cc: | ||
| uname -a: | Linux 60ad06590a95 6.9.7-arch1-1 #1 SMP PREEMPT_DYNAMIC Fri, 28 Jun 2024 04:32:50 +0000 x86_64 GNU/Linux | ||
| nginx -V: |
nginx version: nginx/1.27.0
built by clang 17.0.6 (12) configure arguments: --with-cc=/usr/local/bin/afl-cc --with-cc-opt=-fsanitize=address --with-ld-opt=-fsanitize=address |
||
Description
When Nginx receives a request with a tab character ('\x09') after the colon in the Host header field, it responds 400. This is incorrect behavior because the grammar in the HTTP RFCs specifies that any number of HTAB and SP bytes (tabs and spaces) are permitted after the colon in a header field line. I checked 27 other implementations of HTTP, and they all implement this correctly (i.e., they ignore the tab).
To see for yourself, try sending Nginx the following request:
GET / HTTP/1.1\r\n Host:\twhatever\r\n \r\n
It will respond 400. If you change the tab to a space, then it will respond 200.
Note:
See TracTickets
for help on using tickets.
Duplicate of #1752.