From dd002b81417dabac10daf28cbab00179e7bdf95f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lo=C3=AFc=20Hoguin?= <essen@ninenines.eu>
Date: Wed, 6 Dec 2017 00:30:59 +0100
Subject: Disable the CONNECT method completely

It's safer than allow it with the wrong behavior.
---
 src/cowboy_http.erl | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

(limited to 'src/cowboy_http.erl')

diff --git a/src/cowboy_http.erl b/src/cowboy_http.erl
index e9acceb..eca0099 100644
--- a/src/cowboy_http.erl
+++ b/src/cowboy_http.erl
@@ -347,8 +347,9 @@ parse_request(Buffer, State=#state{opts=Opts, in_streamid=InStreamID}, EmptyLine
 				%% @todo * is only for server-wide OPTIONS request (RFC7230 5.3.4); tests
 				<< "OPTIONS * ", Rest/bits >> ->
 					parse_version(Rest, State, <<"OPTIONS">>, <<"*">>, <<>>);
-%				<< "CONNECT ", Rest/bits >> ->
-%					parse_authority( %% @todo
+				<<"CONNECT ", _/bits>> ->
+					error_terminate(501, State, {connection_error, no_error,
+						'The CONNECT method is currently not implemented. (RFC7231 4.3.6)'});
 				%% Accept direct HTTP/2 only at the beginning of the connection.
 				<< "PRI * HTTP/2.0\r\n", _/bits >> when InStreamID =:= 1 ->
 					%% @todo Might be worth throwing to get a clean stacktrace.
-- 
cgit v1.2.3