fix(nginx,h2o): reject unknown HTTP methods with 405

Both nginx module and h2o were accepting any HTTP method (GETT, FOOBAR, etc.)
and returning 200, failing the validate.sh bad method check.

nginx changes:
- Add method guard at top of handler: only GET/HEAD/POST allowed, else 405
- Change fallthrough from NGX_DECLINED to 404 so unknown paths don't leak
  to nginx's default handler

h2o changes:
- Add reject_bad_method() helper checking for GET/HEAD/POST
- Guard all route handlers (pipeline, baseline11, baseline2, json, static,
  compression, db) — upload already checks for POST

Both now return 405 Method Not Allowed for unknown methods.

Fixes validate.sh bad method test for nginx and h2o.

Author: BennyFranciscus

frameworks/h2o/src/main.c

@@ -57,11 +57,33 @@ static int64_t sum_query_values(h2o_req_t *req)
     return sum;
 }
 
+/* Method check helper — returns true if method is not GET/HEAD/POST */
+static inline int reject_bad_method(h2o_req_t *req)
+{
+    if (h2o_memis(req->method.base, req->method.len, H2O_STRLIT("GET"))
+        || h2o_memis(req->method.base, req->method.len, H2O_STRLIT("HEAD"))
+        || h2o_memis(req->method.base, req->method.len, H2O_STRLIT("POST"))) {
+        return 0;
+    }
+    req->res.status = 405;
+    req->res.reason = "Method Not Allowed";
+    req->res.content_length = 18;
+    h2o_add_header(&req->pool, &req->res.headers, H2O_TOKEN_CONTENT_TYPE,
+                   NULL, H2O_STRLIT("text/plain"));
+    h2o_generator_t gen;
+    memset(&gen, 0, sizeof(gen));
+    h2o_iovec_t body = {H2O_STRLIT("Method Not Allowed")};
+    h2o_start_response(req, &gen);
+    h2o_send(req, &body, 1, H2O_SEND_STATE_FINAL);
+    return 1;
+}
+
 /* GET /pipeline — return "ok" (zero-copy static response) */
 static int on_pipeline(h2o_handler_t *h, h2o_req_t *req)
 {
     static h2o_iovec_t body = {H2O_STRLIT("ok")};
     (void)h;
+    if (reject_bad_method(req)) return 0;
     h2o_generator_t gen;
     memset(&gen, 0, sizeof(gen));
     req->res.status = 200;
@@ -78,6 +100,7 @@ static int on_pipeline(h2o_handler_t *h, h2o_req_t *req)
 static int on_baseline11(h2o_handler_t *h, h2o_req_t *req)
 {
     (void)h;
+    if (reject_bad_method(req)) return 0;
     int64_t sum = sum_query_values(req);
     if (h2o_memis(req->method.base, req->method.len, H2O_STRLIT("POST"))
         && req->entity.len > 0) {
@@ -107,6 +130,7 @@ static int on_baseline11(h2o_handler_t *h, h2o_req_t *req)
 static int on_baseline2(h2o_handler_t *h, h2o_req_t *req)
 {
     (void)h;
+    if (reject_bad_method(req)) return 0;
     int64_t sum = sum_query_values(req);
     char buf[32];
     int len = snprintf(buf, sizeof(buf), "%lld", (long long)sum);
@@ -127,6 +151,7 @@ static int on_baseline2(h2o_handler_t *h, h2o_req_t *req)
 static int on_json(h2o_handler_t *h, h2o_req_t *req)
 {
     (void)h;
+    if (reject_bad_method(req)) return 0;
     if (!dataset_tree) {
         h2o_send_error_500(req, "Error", "No dataset", 0);
         return 0;
@@ -246,6 +271,7 @@ static int on_json(h2o_handler_t *h, h2o_req_t *req)
 static int on_static(h2o_handler_t *h, h2o_req_t *req)
 {
     (void)h;
+    if (reject_bad_method(req)) return 0;
     /* path is /static/<filename>, extract filename after "/static/" (8 chars) */
     if (req->path_normalized.len <= 8) {
         h2o_send_error_404(req, "Not Found", "Not Found", 0);
@@ -302,6 +328,7 @@ static int on_upload(h2o_handler_t *h, h2o_req_t *req)
 static int on_compression(h2o_handler_t *h, h2o_req_t *req)
 {
     (void)h;
+    if (reject_bad_method(req)) return 0;
     if (!json_large_response) {
         h2o_send_error_500(req, "Error", "No dataset", 0);
         return 0;
@@ -352,6 +379,7 @@ static void load_db_thread(void)
 static int on_db(h2o_handler_t *h, h2o_req_t *req)
 {
     (void)h;
+    if (reject_bad_method(req)) return 0;
     if (!tl_db || !tl_db_stmt) {
         h2o_send_error_500(req, "Error", "DB not loaded", 0);
         return 0;

frameworks/nginx/ngx_http_httparena_module.c

@@ -317,6 +317,14 @@ ngx_http_httparena_handler(ngx_http_request_t *r)
     u_char *uri = r->uri.data;
     size_t uri_len = r->uri.len;
 
+    /* Reject unknown HTTP methods — only allow GET, HEAD, POST */
+    if (!(r->method & (NGX_HTTP_GET | NGX_HTTP_POST | NGX_HTTP_HEAD))) {
+        ngx_http_discard_request_body(r);
+        return send_resp(r, 405,
+                         (u_char *)"text/plain", 10,
+                         (u_char *)"Method Not Allowed", 18, 1);
+    }
+
     /* /db */
     if (uri_len == 3 && ngx_strncmp(uri, "/db", 3) == 0) {
         return on_db(r);
@@ -435,7 +443,11 @@ ngx_http_httparena_handler(ngx_http_request_t *r)
                          (u_char *)"Not Found", 9, 0);
     }
 
-    return NGX_DECLINED;
+    /* Unknown path — return 404 instead of falling through to nginx default */
+    ngx_http_discard_request_body(r);
+    return send_resp(r, 404,
+                     (u_char *)"text/plain", 10,
+                     (u_char *)"Not Found", 9, 1);
 }
 
 /* ---------- Data loading ---------- */