nghttpx: Only allow POST and PUT for API request

27fa9c3c · Tatsuhiro Tsujikawa · 92db6820 · 27fa9c3c
Commit 27fa9c3c authored Jun 04, 2016 by Tatsuhiro Tsujikawa
Hide whitespace changes
Inline Side-by-side

Showing with 11 additions and 0 deletions

src/shrpx_api_downstream_connection.cc src/shrpx_api_downstream_connection.cc +11 -0

No files found.
--- a/src/shrpx_api_downstream_connection.cc
+++ b/src/shrpx_api_downstream_connection.cc
@@ -73,6 +73,7 @@ int APIDownstreamConnection::send_reply(unsigned int http_status,

  switch (http_status) {
  case 400:
+  case 405:
  case 413:
    resp.fs.add_header_token(StringRef::from_lit("connection"),
                             StringRef::from_lit("close"), false,
@@ -89,6 +90,7 @@ int APIDownstreamConnection::send_reply(unsigned int http_status,

 int APIDownstreamConnection::push_request_headers() {
  auto &req = downstream_->request();
+  auto &resp = downstream_->response();

  if (req.path != StringRef::from_lit("/api/v1alpha1/backend/replace")) {
    send_reply(404, StringRef::from_lit("404 Not Found"));
@@ -96,6 +98,15 @@ int APIDownstreamConnection::push_request_headers() {
    return 0;
  }

+  if (req.method != HTTP_POST && req.method != HTTP_PUT) {
+    resp.fs.add_header_token(StringRef::from_lit("allow"),
+                             StringRef::from_lit("POST, PUT"), false, -1);
+    send_reply(
+        405, http2::get_status_string(downstream_->get_block_allocator(), 405));
+
+    return 0;
+  }
+
  // This works with req.fs.content_length == -1
  if (req.fs.content_length >
      static_cast<int64_t>(get_config()->api.max_request_body)) {