[PATCH] Add strict Host validation

[Piotr Sikora]

# HG changeset patch
# User Piotr Sikora <pi...@cloudflare.com>
# Date 1418870862 28800
#      Wed Dec 17 18:47:42 2014 -0800
# Node ID ab0442e232ce098438943a77422d8a04cc5b6790
# Parent  99751fe3bc3b285801b434f7f707d87fa42b093e
Add strict Host validation.

According to RFC3986, Host is a sequence of printable ASCII characters,
with the exception of: space, ", #, /, <, >, ?, @, \, ^, `, {, | and }.

Signed-off-by: Piotr Sikora <pi...@cloudflare.com>

diff -r 99751fe3bc3b -r ab0442e232ce src/http/ngx_http_request.c
--- a/src/http/ngx_http_request.c       Fri Dec 12 20:25:42 2014 +0300
+++ b/src/http/ngx_http_request.c       Wed Dec 17 18:47:42 2014 -0800
@@ -1955,12 +1955,25 @@ ngx_http_validate_host(ngx_str_t *host, 
             }
             break;
 
-        case '\0':
+        case ' ':
+        case '"':
+        case '#':
+        case '/':
+        case '<':
+        case '>':
+        case '?':
+        case '@':
+        case '\\':
+        case '^':
+        case '`':
+        case '{':
+        case '|':
+        case '}':
             return NGX_DECLINED;
 
         default:
 
-            if (ngx_path_separator(ch)) {
+            if (ch < 0x20 || ch > 0x7e) {
                 return NGX_DECLINED;
             }
 

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel