RepoMirrors/haproxy
1
0
Fork 0
mirror of http://git.haproxy.org/git/haproxy.git/ synced 2025-05-07 10:18:01 +00:00
Code Issues Packages Projects Releases Wiki Activity

BUG/MINOR: h3: reject more chars from the :path pseudo header

Browse Source 
This is the h3 version of this previous fix:

   BUG/MINOR: h2: reject more chars from the :path pseudo header

In addition to the current NUL/CR/LF, this will also reject all other
control chars, the space and '#' from the :path pseudo-header, to avoid
taking the '#' for a part of the path. It's still possible to fall back
to the previous behavior using "option accept-invalid-http-request".

Here the :path header value is scanned a second time to look for
forbidden chars because we don't know upfront if we're dealing with a
path header field or another one. This is no big deal anyway for now.

This should be progressively backported to 2.6, along with the
following commits it relies on (the same as for h2):

   REGTESTS: http-rules: add accept-invalid-http-request for normalize-uri tests
   REORG: http: move has_forbidden_char() from h2.c to http.h
   MINOR: ist: add new function ist_find_range() to find a character range
   MINOR: http: add new function http_path_has_forbidden_char()
This commit is contained in:
Willy Tarreau 2023-08-08 17:54:26 +02:00
parent b3119d4fb4
commit 2e97857a84
1 changed files with 15 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
src/h3.c
View File

@ -419,6 +419,7 @@ static ssize_t h3_headers_to_htx(struct qcs *qcs, const struct buffer *buf,
int hdr_idx, ret;
int cookie = -1, last_cookie = -1, i;
const char *ctl;
int relaxed = !!(h3c->qcc->proxy->options2 & PR_O2_REQBUG_OK);
/* RFC 9114 4.1.2. Malformed Requests and Responses
*
@ -520,6 +521,20 @@ static ssize_t h3_headers_to_htx(struct qcs *qcs, const struct buffer *buf,
len = -1;
goto out;
}
if (!relaxed) {
/* we need to reject any control chars or '#' from the path,
* unless option accept-invalid-http-request is set.
*/
ctl = ist_find_range(list[hdr_idx].v, 0, '#');
if (unlikely(ctl) && http_path_has_forbidden_char(list[hdr_idx].v, ctl)) {
TRACE_ERROR("forbidden character in ':path' pseudo-header", H3_EV_RX_FRAME|H3_EV_RX_HDR, qcs->qcc->conn, qcs);
h3s->err = H3_MESSAGE_ERROR;
len = -1;
goto out;
}
}
path = list[hdr_idx].v;
}
else if (isteq(list[hdr_idx].n, ist(":scheme"))) {