RepoMirrors/haproxy
1
0
Fork 0
mirror of http://git.haproxy.org/git/haproxy.git/ synced 2025-01-04 11:12:02 +00:00
Code Issues Packages Projects Releases Wiki Activity

BUG/MEDIUM: h3: reject request with invalid header name

Browse Source 
Reject request containing invalid header name. This concerns every
header containing uppercase letter or a non HTTP token such as a space.

For the moment, this kind of errors triggers a connection close. In the
future, it should be handled only with a stream reset. To reduce
backport surface, this will be implemented in another commit.

Thanks to Yuki Mogi from FFRI Security, Inc. for having reported this.

This must be backported up to 2.6.
This commit is contained in:
Amaury Denoyelle 2022-12-07 14:31:42 +01:00
parent f98b3b1107
commit d6fb7a0e0f
1 changed files with 29 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
src/h3.c
View File

@ -352,7 +352,27 @@ static ssize_t h3_headers_to_htx(struct qcs *qcs, const struct buffer *buf,
//struct ist scheme = IST_NULL, authority = IST_NULL;
struct ist authority = IST_NULL;
int hdr_idx, ret;
int cookie = -1, last_cookie = -1;
int cookie = -1, last_cookie = -1, i;
/* RFC 9114 4.1.2. Malformed Requests and Responses
*
* A malformed request or response is one that is an otherwise valid
* sequence of frames but is invalid due to:
* - the presence of prohibited fields or pseudo-header fields,
* - the absence of mandatory pseudo-header fields,
* - invalid values for pseudo-header fields,
* - pseudo-header fields after fields,
* - an invalid sequence of HTTP messages,
* - the inclusion of uppercase field names, or
* - the inclusion of invalid characters in field names or values.
*
* [...]
*
* Intermediaries that process HTTP requests or responses (i.e., any
* intermediary not acting as a tunnel) MUST NOT forward a malformed
* request or response. Malformed requests or responses that are
* detected MUST be treated as a stream error of type H3_MESSAGE_ERROR.
*/
TRACE_ENTER(H3_EV_RX_FRAME|H3_EV_RX_HDR, qcs->qcc->conn, qcs);
@ -416,6 +436,14 @@ static ssize_t h3_headers_to_htx(struct qcs *qcs, const struct buffer *buf,
if (isteq(list[hdr_idx].n, ist("")))
break;
for (i = 0; i < list[hdr_idx].n.len; ++i) {
const char c = list[hdr_idx].n.ptr[i];
if ((uint8_t)(c - 'A') < 'Z' - 'A' || !HTTP_IS_TOKEN(c)) {
TRACE_ERROR("invalid characters in field name", H3_EV_RX_FRAME|H3_EV_RX_HDR, qcs->qcc->conn, qcs);
return -1;
}
}
if (isteq(list[hdr_idx].n, ist("cookie"))) {
http_cookie_register(list, hdr_idx, &cookie, &last_cookie);
continue;