serv/caddy
1
0
Fork 0
mirror of https://github.com/caddyserver/caddy.git synced 2024-12-27 22:23:48 +03:00
Code Issues Projects Releases Packages Wiki Activity Actions

caddyhttp: Reject absurd methods (#4538)

Browse source 
* caddyhttp: Reject absurdly long methods

* Limit method to 32 chars and truncate

* Just reject the request and debug-log it

* Log remote address
This commit is contained in:
Matt Holt 2022-01-19 13:44:09 -07:00 committed by GitHub
parent 94035c1797
commit bf380d00ab
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 11 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
modules/caddyhttp/server.go
View file

@ -150,6 +150,17 @@ func (s *Server) ServeHTTP(w http.ResponseWriter, r *http.Request) {
} }
} }
// reject very long methods; probably a mistake or an attack
if len(r.Method) > 32 {
if s.shouldLogRequest(r) {
s.accessLogger.Debug("rejecting request with long method",
zap.String("method_trunc", r.Method[:32]),
zap.String("remote_addr", r.RemoteAddr))
}
w.WriteHeader(http.StatusMethodNotAllowed)
return
}
repl := caddy.NewReplacer() repl := caddy.NewReplacer()
r = PrepareRequest(r, repl, w, s) r = PrepareRequest(r, repl, w, s)