Opened 8 years ago

Closed 8 years ago

Last modified 8 years ago

#1185 closed defect (wontfix)

http response header ends with \0x00\0x0d\0x0a cause 502

Reported by: beikezcs@… Owned by:
Priority: minor Milestone:
Component: nginx-module Version: 1.9.x
Keywords: Cc:
uname -a: 3.10.0-327.el7.x86_64 #1 SMP Thu Nov 19 22:10:57 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
nginx -V: nginx version: openresty/1.9.7.3

Description

we use nginx as reverse proxy,recently,we has a website, when navigate with IE8,we get 502,but if navigate directly to source ip,we get 200。after use tcpdump,we found that one of the reponse header ends with \0x00\0x0d\0x0a,and when nginx parse response header in ngx_http_parse_header_line,when parsr header value,if nginx see '\0', it return NGX_HTTP_PARSE_INVALID_HEADER,and 502 at the end。

i don't know if this is a bug, but as web browser show everything ok,i think nginx should work well too.

Attachments (1)

nginx.png (49.8 KB ) - added by beikezcs@… 8 years ago.
tcp dump result

Download all attachments as: .zip

Change History (5)

by beikezcs@…, 8 years ago

Attachment: nginx.png added

tcp dump result

comment:1 by Maxim Dounin, 8 years ago

Resolution: wontfix
Status: newclosed

This is intentional. NUL bytes are not allowed by nginx in headers, as they can be used in various attacks. It is also illegal per HTTP specification.

comment:2 by beikezcs@…, 8 years ago

i think, NUL bytes attacks are used in http request, when handle http reponse,we have no need to special handle '\0'.can you give some examples?

in reply to:  1 comment:3 by beikezcs@…, 8 years ago

Replying to mdounin:

This is intentional. NUL bytes are not allowed by nginx in headers, as they can be used in various attacks. It is also illegal per HTTP specification.

i think, NUL bytes attacks are used in http request, when handle http reponse,we have no need to special handle '\0'.can you give some examples?

in reply to:  2 comment:4 by Valentin V. Bartenev, 8 years ago

Replying to beikezcs@…:

i think, NUL bytes attacks are used in http request, when handle http reponse,we have no need to special handle '\0'.can you give some examples?

There is an example of successful NUL attack on nginx itself: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1180

Note: See TracTickets for help on using tickets.