RepoMirrors
/
haproxy
mirror of http://git.haproxy.org/git/haproxy.git/
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

BUG/MINOR: http-rules: Fix ACLs parsing for http deny rules 

The parsing of http deny rules with no argument or only the deny_status argument
is buggy if followed by an ACLs expression (starting with "if" or "unless"
keyword). Instead of using the proxy errorfiles, a dummy error is used. To fix
the bug, the parsing function must also check for "if" or "unless" keyword in
such cases.

This patch should fix the issue #720. No backport is needed.
This commit is contained in:
Christopher Faulet 2020-06-30 09:32:01 +02:00
parent ddfe0743d8
commit 9467f18d32
2 changed files with 5 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
reg-tests/http-errorfiles/http_errors.vtc
View File

@ -34,7 +34,7 @@ haproxy h1 -conf {
frontend fe1
bind "fd@${fe1}"
http-request deny deny_status 400 if { path /400 }
http-request deny deny_status 403 if { path /403 }
http-request deny if { path /403 }
http-request deny deny_status 404 if { path /404 }
http-request deny deny_status 500 if { path /500 }
@ -43,7 +43,7 @@ haproxy h1 -conf {
errorfiles errors-1
errorfile 500 ${testdir}/errors/500.http
http-request deny deny_status 400 if { path /400 }
http-request deny deny_status 403 if { path /403 }
http-request deny if { path /403 }
http-request deny deny_status 404 if { path /404 }
http-request deny deny_status 500 if { path /500 }
@ -53,7 +53,7 @@ haproxy h1 -conf {
errorfiles errors-1 500
errorfiles errors-3 400
http-request deny deny_status 400 if { path /400 }
http-request deny deny_status 403 if { path /403 }
http-request deny if { path /403 }
http-request deny deny_status 404 if { path /404 }
http-request deny deny_status 500 if { path /500 }
} -start

5
src/http_act.c
View File

@ -855,14 +855,13 @@ static enum act_parse_ret parse_http_deny(const char **args, int *orig_arg, stru
/* Prepare parsing of log-format strings */
px->conf.args.ctx = ((rule->from == ACT_F_HTTP_REQ) ? ARGC_HRQ : ARGC_HRS);
if (!*(args[cur_arg])) {
if (!*(args[cur_arg]) || strcmp(args[cur_arg], "if") == 0 || strcmp(args[cur_arg], "unless") == 0) {
rule->arg.http_reply = http_parse_http_reply((const char *[]){"default-errorfiles", ""}, &arg, px, default_status, err);
goto end;
}
if (strcmp(args[cur_arg], "deny_status") == 0) {
if (!*(args[cur_arg+2]) ||
(strcmp(args[cur_arg+2], "errorfile") != 0 && strcmp(args[cur_arg+2], "errorfiles") != 0)) {
if (!*(args[cur_arg+2]) || strcmp(args[cur_arg+2], "if") == 0 || strcmp(args[cur_arg+2], "unless") == 0) {
rule->arg.http_reply = http_parse_http_reply((const char *[]){"status", args[cur_arg+1], "default-errorfiles", ""},
&arg, px, default_status, err);
*orig_arg += 2;