check invalid characters in header field-name

2025-10-19 12:52:09 +03:30 · 2025-10-19 12:52:09 +03:30 · 224b9a3978
parent 78d1ab5a2c
commit 224b9a3978
1 changed files with 11 additions and 1 deletions
--- a/src/http/ngx_http_parse.c
+++ b/src/http/ngx_http_parse.c
@ -959,7 +959,17 @@ ngx_http_parse_header_line(ngx_http_request_t *r, ngx_buf_t *b,
                break;
            }

-            if (ch <= 0x20 || ch == 0x7f) {
+            if (ch <= 0x20
+                || ch == 0x22
+                || ch == 0x28
+                || ch == 0x29
+                || ch == 0x2c
+                || ch == 0x2f
+                || (ch >= 0x3b && ch <= 0x40)
+                || (ch >= 0x5b && ch <= 0x5d)
+                || ch == 0x7b
+                || ch == 0x7d
+                ) {
                r->header_end = p;
                return NGX_HTTP_PARSE_INVALID_HEADER;
            }