RepoMirrors
/
haproxy
mirror of http://git.haproxy.org/git/haproxy.git/
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

BUG/MINOR: h2: reject more chars from the :path pseudo header 

This is the h2 version of this previous fix:

    BUG/MINOR: h1: do not accept '#' as part of the URI component

In addition to the current NUL/CR/LF, this will also reject all other
control chars, the space and '#' from the :path pseudo-header, to avoid
taking the '#' for a part of the path. It's still possible to fall back
to the previous behavior using "option accept-invalid-http-request".

This patch modifies the request parser to change the ":path" pseudo header
validation function with a new one that rejects 0x00-0x1F (control chars),
space and '#'. This way such chars will be dropped early in the chain, and
the search for '#' doesn't incur a second pass over the header's value.

This should be progressively backported to stable versions, along with the
following commits it relies on:

     REGTESTS: http-rules: add accept-invalid-http-request for normalize-uri tests
     REORG: http: move has_forbidden_char() from h2.c to http.h
     MINOR: ist: add new function ist_find_range() to find a character range
     MINOR: http: add new function http_path_has_forbidden_char()
     MINOR: h2: pass accept-invalid-http-request down the request parser
This commit is contained in:
Willy Tarreau 2023-08-08 15:40:49 +02:00
parent 2eab6d3543
commit b3119d4fb4
1 changed files with 11 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
src/h2.c
View File

@ -337,11 +337,18 @@ int h2_make_htx_request(struct http_hdr *list, struct htx *htx, unsigned int *ms
}
/* RFC7540#10.3: intermediaries forwarding to HTTP/1 must take care of
* rejecting NUL, CR and LF characters.
* rejecting NUL, CR and LF characters. For :path we reject all CTL
* chars, spaces, and '#'.
*/
ctl = ist_find_ctl(list[idx].v);
if (unlikely(ctl) && http_header_has_forbidden_char(list[idx].v, ctl))
goto fail;
if (phdr == H2_PHDR_IDX_PATH && !relaxed) {
ctl = ist_find_range(list[idx].v, 0, '#');
if (unlikely(ctl) && http_path_has_forbidden_char(list[idx].v, ctl))
goto fail;
} else {
ctl = ist_find_ctl(list[idx].v);
if (unlikely(ctl) && http_header_has_forbidden_char(list[idx].v, ctl))
goto fail;
}
if (phdr > 0 && phdr < H2_PHDR_NUM_ENTRIES) {
/* insert a pseudo header by its index (in phdr) and value (in value) */