caddyhttp: Reject absurd methods (#4538)

* caddyhttp: Reject absurdly long methods * Limit method to 32 chars and truncate * Just reject the request and debug-log it * Log remote address
author: Matt Holt <mholt@users.noreply.github.com> 2022-01-19 13:44:09 -0700
committer: GitHub <noreply@github.com> 2022-01-19 13:44:09 -0700
commit: bf380d00ab62ccedcf5d7f32125bfbd4dd636d01 (patch)
tree: e58823fa23f18bb1e60acf0c2ee9f51eac8d793a /modules
parent: 94035c1797015eef281cac0c0911ede2fbb4ca71 (diff)
1 files changed, 11 insertions, 0 deletions
diff --git a/modules/caddyhttp/server.go b/modules/caddyhttp/server.go
index e302c36..964b2a4 100644
--- a/modules/caddyhttp/server.go
+++ b/modules/caddyhttp/server.go
@@ -150,6 +150,17 @@ func (s *Server) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		}
 	}
 
+	// reject very long methods; probably a mistake or an attack
+	if len(r.Method) > 32 {
+		if s.shouldLogRequest(r) {
+			s.accessLogger.Debug("rejecting request with long method",
+				zap.String("method_trunc", r.Method[:32]),
+				zap.String("remote_addr", r.RemoteAddr))
+		}
+		w.WriteHeader(http.StatusMethodNotAllowed)
+		return
+	}
+
 	repl := caddy.NewReplacer()
 	r = PrepareRequest(r, repl, w, s)
author	Matt Holt <mholt@users.noreply.github.com>	2022-01-19 13:44:09 -0700
committer	GitHub <noreply@github.com>	2022-01-19 13:44:09 -0700
commit	bf380d00ab62ccedcf5d7f32125bfbd4dd636d01 (patch)
tree	e58823fa23f18bb1e60acf0c2ee9f51eac8d793a /modules
parent	94035c1797015eef281cac0c0911ede2fbb4ca71 (diff)