RepoMirrors/haproxy
1
0
Fork 0
mirror of http://git.haproxy.org/git/haproxy.git/ synced 2025-01-01 09:42:02 +00:00
Code Issues Packages Projects Releases Wiki Activity

MINOR: h1: Reject requests if the authority does not match the header host

Browse Source 
As stated in the RCF7230#5.4, a client must send a field-value for the header
host that is identical to the authority if the target URI includes one. So, now,
by default, if the authority, when provided, does not match the value of the
header host, an error is triggered. To mitigate this behavior, it is possible to
set the option "accept-invalid-http-request". In that case, an http error is
captured without interrupting the request parsing.
This commit is contained in:
Christopher Faulet 2019-10-11 13:34:22 +02:00
parent 497ab4f519
commit 531b83e039
1 changed files with 13 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
src/h1.c
View File

@ -834,8 +834,20 @@ int h1_headers_to_hdr_list(char *start, const char *stop,
}
}
else if (isteqi(n, ist("host"))) {
if (host_idx == -1)
if (host_idx == -1) {
struct ist authority;
authority = http_get_authority(sl.rq.u, 1);
if (authority.len && !isteqi(v, authority)) {
if (h1m->err_pos < -1) {
state = H1_MSG_HDR_L2_LWS;
goto http_msg_invalid;
}
if (h1m->err_pos == -1) /* capture the error pointer */
h1m->err_pos = ptr - start + skip; /* >= 0 now */
}
host_idx = hdr_count;
}
else {
if (!isteqi(v, hdr[host_idx].v)) {
state = H1_MSG_HDR_L2_LWS;