From 67d72d46f77771ddb7886e4ea83bb292802ea8d5 Mon Sep 17 00:00:00 2001
From: Valentin Bartenev <vbart@nginx.com>
Date: Fri, 8 Dec 2017 19:18:00 +0300
Subject: [PATCH] HTTP parser: improved detection of corrupted request line.

---
 src/nxt_http_parse.c | 44 +++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 43 insertions(+), 1 deletion(-)

diff --git a/src/nxt_http_parse.c b/src/nxt_http_parse.c
index d826c536..03662ef2 100644
--- a/src/nxt_http_parse.c
+++ b/src/nxt_http_parse.c
@@ -118,6 +118,10 @@ nxt_http_parse_target(u_char **pos, u_char *end)
         p += 10;
     }
 
+    while (p != end) {
+        nxt_target_test_char(*p); p++;
+    }
+
     return NXT_HTTP_TARGET_AGAIN;
 }
 
@@ -181,6 +185,10 @@ nxt_http_parse_request_line(nxt_http_request_parse_t *rp, u_char **pos,
             p += 8;
         }
 
+        while (p != end) {
+            nxt_method_test_char(*p); p++;
+        }
+
         return NXT_AGAIN;
 
     method_unusual_char:
@@ -316,7 +324,41 @@ rest_of_target:
 space_after_target:
 
     if (nxt_slow_path(end - p < 10)) {
-        return NXT_AGAIN;
+
+        do {
+            p++;
+
+            if (p == end) {
+                return NXT_AGAIN;
+            }
+
+        } while (*p == ' ');
+
+        if (nxt_memcmp(p, "HTTP/", nxt_min(end - p, 5)) == 0) {
+
+            switch (end - p) {
+            case 8:
+                if (p[7] < '0' || p[7] > '9') {
+                    break;
+                }
+                /* Fall through. */
+            case 7:
+                if (p[6] != '.') {
+                    break;
+                }
+                /* Fall through. */
+            case 6:
+                if (p[5] < '0' || p[5] > '9') {
+                    break;
+                }
+                /* Fall through. */
+            default:
+                return NXT_AGAIN;
+            }
+        }
+
+        rp->space_in_target = 1;
+        goto rest_of_target;
     }
 
     /* " HTTP/1.1\r\n" or " HTTP/1.1\n" */