BUG/MEDIUM: h2/htx: verify that :path doesn't contain invalid chars

While the legacy code converts h2 to h1 and provides some control over
what is passed, in htx mode there is no such control and it is possible
to pass control chars and linear white spaces in the path, which are
possibly reencoded differently once passed to the H1 side.

HTX supports parse error reporting using a special flag. Let's check
the correctness of the :path pseudo header and report any anomaly in
the HTX flag.

Thanks to J�r�me Magnin for reporting this bug with a working reproducer.

This fix must be backported to 1.9 along with the two previous patches
("MINOR: htx: unconditionally handle parsing errors in requests or
responses" and "MINOR: mux-h2: always pass HTX_FL_PARSING_ERROR
between h2s and buf on RX").

src/h2.c

@@ -492,6 +492,7 @@ static struct htx_sl *h2_prepare_htx_reqline(uint32_t fields, struct ist *phdr,
 	int uri_idx = H2_PHDR_IDX_PATH;
 	unsigned int flags = HTX_SL_F_NONE;
 	struct htx_sl *sl;
+	size_t i;
 
 	if ((fields & H2_PHDR_FND_METH) && isteq(phdr[H2_PHDR_IDX_METH], ist("CONNECT"))) {
 		/* RFC 7540 #8.2.6 regarding CONNECT: ":scheme" and ":path"
@@ -538,6 +539,13 @@ static struct htx_sl *h2_prepare_htx_reqline(uint32_t fields, struct ist *phdr,
 	if (!phdr[uri_idx].len)
 		goto fail;
 
+	/* make sure :path doesn't contain LWS nor CTL characters */
+	for (i = 0; i < phdr[uri_idx].len; i++) {
+		unsigned char c = phdr[uri_idx].ptr[i];
+		if (HTTP_IS_LWS(c) || HTTP_IS_CTL(c))
+			htx->flags |= HTX_FL_PARSING_ERROR;
+	}
+
 	/* Set HTX start-line flags */
 	flags |= HTX_SL_F_VER_11;    // V2 in fact
 	flags |= HTX_SL_F_XFER_LEN;  // xfer len always known with H2