RepoMirrors/haproxy
1
0
Fork 0
mirror of http://git.haproxy.org/git/haproxy.git/ synced 2025-01-18 19:50:54 +00:00
Code Issues Packages Projects Releases Wiki Activity

BUG/MINOR: http_fetch: Fix http_auth/http_auth_group when called from TCP rules

Browse Source 
These sample fetches rely on the static fnuction get_http_auth(). For HTX
streams and TCP proxies, this last one gets its HTX message from the request's
channel. When called from an HTTP rule, There is no problem. Bu when called from
TCP rules for a TCP proxy, this buffer is a raw buffer not an HTX message. For
instance, using the following TCP rule leads to a crash :

  tcp-request content accept if { http_auth(Users) }

To fix the bug, we must rely on the HTX message returned by the function
smp_prefetch_htx(). So now, the HTX message is passed as argument to the
function get_http_auth().

This patch must be backported to 2.0 and 1.9.
This commit is contained in:
Christopher Faulet 2019-07-15 13:58:29 +02:00
parent 6d36e1c282
commit cd76195061
1 changed files with 10 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
src/http_fetch.c
View File

@ -59,7 +59,7 @@ static THREAD_LOCAL struct http_hdr_ctx static_http_hdr_ctx;
* have the credentials overwritten by another stream in parallel.
*/
static int get_http_auth(struct sample *smp)
static int get_http_auth(struct sample *smp, struct htx *htx)
{
struct stream *s = smp->strm;
struct http_txn *txn = s->txn;
@ -75,9 +75,8 @@ static int get_http_auth(struct sample *smp)
txn->auth.method = HTTP_AUTH_WRONG;
if (IS_HTX_STRM(s) || (smp->px->mode == PR_MODE_TCP)) {
if (htx) {
/* HTX version */
struct htx *htx = htxbuf(&s->req.buf);
struct http_hdr_ctx ctx = { .blk = NULL };
struct ist hdr;
@ -1918,14 +1917,16 @@ static int smp_fetch_http_auth(const struct arg *args, struct sample *smp, const
if (!htx)
return 0;
if (!get_http_auth(smp, htx))
return 0;
}
else {
/* LEGACY version */
CHECK_HTTP_MESSAGE_FIRST(chn);
if (!get_http_auth(smp, NULL))
return 0;
}
if (!get_http_auth(smp))
return 0;
smp->data.type = SMP_T_BOOL;
smp->data.u.sint = check_user(args->data.usr, smp->strm->txn->auth.user,
smp->strm->txn->auth.pass);
@ -1946,15 +1947,16 @@ static int smp_fetch_http_auth_grp(const struct arg *args, struct sample *smp, c
if (!htx)
return 0;
if (!get_http_auth(smp, htx))
return 0;
}
else {
/* LEGACY version */
CHECK_HTTP_MESSAGE_FIRST(chn);
if (!get_http_auth(smp, NULL))
return 0;
}
if (!get_http_auth(smp))
return 0;
/* if the user does not belong to the userlist or has a wrong password,
* report that it unconditionally does not match. Otherwise we return
* a string containing the username.