From 9bd5358b5545f4aa6abb24b6f1b5a2b06d0d21e3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Peter=20M=C3=BCller?= <peter@crycode.de>
Date: Fri, 30 Jan 2026 17:27:29 +0100
Subject: [PATCH] Fix issue with http2 requests and captcha

The lua-nginx-module requires the content-length header to be set on
http2 requests when ngx.req.read_body() is called and throws an error
otherwise. This fix checks for POST request method before reading the
body to avoid the error on other request methods.
Ref crowdsecurity/lua-cs-bouncer#130
---
 lib/crowdsec.lua | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/crowdsec.lua b/lib/crowdsec.lua
index 71fa6c3..f8f3be9 100644
--- a/lib/crowdsec.lua
+++ b/lib/crowdsec.lua
@@ -730,7 +730,7 @@ function csmod.Allow(ip)
     local previous_uri, flags = ngx.shared.crowdsec_cache:get("captcha_" .. ip)
     local source, state_id, err = flag.GetFlags(flags)
 
-    if previous_uri ~= nil and state_id == flag.VERIFY_STATE then
+    if previous_uri ~= nil and state_id == flag.VERIFY_STATE and ngx.req.get_method() == "POST" then
       ngx.req.read_body()
       local args, err = ngx.req.get_post_args()
 
@@ -789,7 +789,7 @@ function csmod.Allow(ip)
           local previous_uri, flags = ngx.shared.crowdsec_cache:get("captcha_"..ip)
           local source, state_id, err = flag.GetFlags(flags)
           -- we check if the IP is already in cache for captcha and not yet validated
-          if previous_uri == nil or state_id ~= flag.VALIDATED_STATE or remediationSource == flag.APPSEC_SOURCE then 
+          if previous_uri == nil or state_id ~= flag.VALIDATED_STATE or remediationSource == flag.APPSEC_SOURCE then
               local uri = ngx.var.uri
               -- in case its not a GET request, we prefer to fallback on referer
               if ngx.req.get_method() ~= "GET" then