diff options
author | Matt Holt <mholt@users.noreply.github.com> | 2022-01-19 13:44:09 -0700 |
---|---|---|
committer | GitHub <noreply@github.com> | 2022-01-19 13:44:09 -0700 |
commit | bf380d00ab62ccedcf5d7f32125bfbd4dd636d01 (patch) | |
tree | e58823fa23f18bb1e60acf0c2ee9f51eac8d793a /modules | |
parent | 94035c1797015eef281cac0c0911ede2fbb4ca71 (diff) |
caddyhttp: Reject absurd methods (#4538)
* caddyhttp: Reject absurdly long methods
* Limit method to 32 chars and truncate
* Just reject the request and debug-log it
* Log remote address
Diffstat (limited to 'modules')
-rw-r--r-- | modules/caddyhttp/server.go | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/modules/caddyhttp/server.go b/modules/caddyhttp/server.go index e302c36..964b2a4 100644 --- a/modules/caddyhttp/server.go +++ b/modules/caddyhttp/server.go @@ -150,6 +150,17 @@ func (s *Server) ServeHTTP(w http.ResponseWriter, r *http.Request) { } } + // reject very long methods; probably a mistake or an attack + if len(r.Method) > 32 { + if s.shouldLogRequest(r) { + s.accessLogger.Debug("rejecting request with long method", + zap.String("method_trunc", r.Method[:32]), + zap.String("remote_addr", r.RemoteAddr)) + } + w.WriteHeader(http.StatusMethodNotAllowed) + return + } + repl := caddy.NewReplacer() r = PrepareRequest(r, repl, w, s) |