From e082b7be72cddee2e964a81d4c8d756ba875a762 Mon Sep 17 00:00:00 2001 From: Tatsuhiro Tsujikawa Date: Thu, 3 Nov 2016 17:00:05 +0900 Subject: [PATCH] nghttpx: Strict handling for Content-Length or Transfer-Encoding in h1 We now treat Content-Length or Transfer-Encoding as error if they come with 204 or 1xx status code, or 200 to a CONNECT request in HTTP/1 response. --- src/shrpx_http_downstream_connection.cc | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/src/shrpx_http_downstream_connection.cc b/src/shrpx_http_downstream_connection.cc index d42acd02..46d35514 100644 --- a/src/shrpx_http_downstream_connection.cc +++ b/src/shrpx_http_downstream_connection.cc @@ -701,6 +701,18 @@ int htp_hdrs_completecb(http_parser *htp) { downstream->set_downstream_addr_group(dconn->get_downstream_addr_group()); downstream->set_addr(dconn->get_addr()); + // Server MUST NOT send Transfer-Encoding with a status code 1xx or + // 204. Also server MUST NOT send Transfer-Encoding with a status + // code 200 to a CONNECT request. Same holds true with + // Content-Length. + if (resp.http_status == 204 || resp.http_status / 100 == 1 || + (resp.http_status == 200 && req.method == HTTP_CONNECT)) { + if (resp.fs.header(http2::HD_CONTENT_LENGTH) || + resp.fs.header(http2::HD_TRANSFER_ENCODING)) { + return -1; + } + } + if (resp.fs.parse_content_length() != 0) { downstream->set_response_state(Downstream::MSG_BAD_HEADER); return -1;