Mercurial > nginx
changeset 9436:cd57402d2f66
HTTP/3: fixed handling of :authority and Host with port.
RFC 9114, Section 4.3.1. specifies a restriction for :authority and Host
coexistence in an HTTP/3 request:
: If both fields are present, they MUST contain the same value.
Previously, this restriction was correctly enforced only for portless
values. When Host contained a port, the request failed as if :authority
and Host were different, regardless of :authority presence.
This happens because the value of r->headers_in.server used for :authority
has port stripped. The fix is to use r->host_start / r->host_end instead.
| author | Roman Arutyunyan <arut@nginx.com> |
|---|---|
| date | Thu, 26 Jun 2025 20:19:59 +0400 |
| parents | efb06290410c |
| children | 3b0b06326b85 |
| files | src/http/v3/ngx_http_v3_request.c |
| diffstat | 1 files changed, 8 insertions(+), 5 deletions(-) [+] |
line wrap: on
line diff
--- a/src/http/v3/ngx_http_v3_request.c Thu Sep 05 19:35:43 2024 +0400 +++ b/src/http/v3/ngx_http_v3_request.c Thu Jun 26 20:19:59 2025 +0400 @@ -1003,6 +1003,7 @@ { ssize_t n; ngx_buf_t *b; + ngx_str_t host; ngx_connection_t *c; ngx_http_v3_session_t *h3c; ngx_http_v3_srv_conf_t *h3scf; @@ -1034,11 +1035,13 @@ goto failed; } - if (r->headers_in.host) { - if (r->headers_in.host->value.len != r->headers_in.server.len - || ngx_memcmp(r->headers_in.host->value.data, - r->headers_in.server.data, - r->headers_in.server.len) + if (r->headers_in.host && r->host_end) { + + host.len = r->host_end - r->host_start; + host.data = r->host_start; + + if (r->headers_in.host->value.len != host.len + || ngx_memcmp(r->headers_in.host->value.data, host.data, host.len) != 0) { ngx_log_error(NGX_LOG_INFO, c->log, 0,