Skip to content

fix(nginx,h2o): reject unknown HTTP methods with 405#99

Merged
MDA2AV merged 2 commits into
MDA2AV:mainfrom
BennyFranciscus:fix/bad-method-validation
Mar 25, 2026
Merged

fix(nginx,h2o): reject unknown HTTP methods with 405#99
MDA2AV merged 2 commits into
MDA2AV:mainfrom
BennyFranciscus:fix/bad-method-validation

Conversation

@BennyFranciscus
Copy link
Copy Markdown
Collaborator

@BennyFranciscus BennyFranciscus commented Mar 24, 2026

As requested in #98 — fixes the bad method validation failure for both nginx and h2o.

Problem

Both the nginx module and h2o accept any HTTP method (GETT, FOOBAR, etc.) and return 200, failing the validate.sh bad method check:

FAIL [bad method]: expected 4xx, got HTTP 200

Changes

nginx (ngx_http_httparena_module.c)

  • Method guard at the top of the handler: only GET/HEAD/POST are allowed, everything else gets 405 Method Not Allowed
  • Changed the final fallthrough from NGX_DECLINED (which passed to nginx default → 200) to a proper 404 Not Found for unknown paths

h2o (src/main.c)

  • Added reject_bad_method() helper that checks for GET/HEAD/POST
  • Applied it to all route handlers: pipeline, baseline11, baseline2, json, static, compression, db
  • Upload handler already enforced POST-only so it was fine

Both return 405 for unknown methods, which satisfies the validate.sh 4xx check.

@BennyFranciscus BennyFranciscus requested a review from MDA2AV as a code owner March 24, 2026 23:21
@joanhey
Copy link
Copy Markdown
Contributor

joanhey commented Mar 25, 2026

@BennyFranciscus fix the validation for nginx-openresty, have the same problem.

@BennyFranciscus
fix(nginx,h2o): reject unknown HTTP methods with 405
5f5829d 
Both nginx module and h2o were accepting any HTTP method (GETT, FOOBAR, etc.)
and returning 200, failing the validate.sh bad method check.

nginx changes:
- Add method guard at top of handler: only GET/HEAD/POST allowed, else 405
- Change fallthrough from NGX_DECLINED to 404 so unknown paths don't leak
  to nginx's default handler

h2o changes:
- Add reject_bad_method() helper checking for GET/HEAD/POST
- Guard all route handlers (pipeline, baseline11, baseline2, json, static,
  compression, db) — upload already checks for POST

Both now return 405 Method Not Allowed for unknown methods.

Fixes validate.sh bad method test for nginx and h2o.
@BennyFranciscus
fix(nginx-openresty): reject unknown HTTP methods with 405
e7b5a19 
Add access_by_lua_block at server level to reject methods other than
GET, HEAD, and POST with 405 Method Not Allowed.

Requested by @joanhey in PR MDA2AV#99.
@BennyFranciscus BennyFranciscus force-pushed the fix/bad-method-validation branch from 6c56663 to e7b5a19 Compare March 25, 2026 09:21
@BennyFranciscus
Copy link
Copy Markdown
Collaborator Author

BennyFranciscus commented Mar 25, 2026

Good catch @joanhey — pushed a fix for nginx-openresty too. Added an access_by_lua_block at the server level that rejects anything other than GET/HEAD/POST with 405. Should cover all the routes without needing per-handler checks.

@MDA2AV MDA2AV merged commit 0484071 into MDA2AV:main Mar 25, 2026
4 checks passed
BennyFranciscus added a commit to BennyFranciscus/HttpArena that referenced this pull request Mar 25, 2026
@BennyFranciscus
fix(caddy): reject unknown HTTP methods with 405 and return 404 for u…
09bbd29 
…nknown paths

Same fix pattern as PR MDA2AV#99 (nginx/h2o/openresty):
- Add rejectBadMethod() helper: only GET/HEAD/POST allowed, else 405
- Unknown paths now return 404 instead of falling through to next handler
This was referenced Mar 25, 2026
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@MDA2AV MDA2AV MDA2AV approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@BennyFranciscus @joanhey @MDA2AV