haproxy/reg-tests/http-rules/restrict_req_hdr_names.vtc
Mateusz Malek 4b85a963be BUG/MEDIUM: http-ana: fix crash or wrong header deletion by http-restrict-req-hdr-names
When using `option http-restrict-req-hdr-names delete`, HAproxy may
crash or delete wrong header after receiving request containing multiple
forbidden characters in single header name; exact behavior depends on
number of request headers, number of forbidden characters and position
of header containing them.

This patch fixes GitHub issue #1822.

Must be backported as far as 2.2 (buggy feature got included in 2.2.25,
2.4.18 and 2.5.8).
2022-08-17 15:52:17 +02:00

186 lines
4.3 KiB
Plaintext

varnishtest "http-restrict-req-hdr-names option tests"
feature cmd "$HAPROXY_PROGRAM -cc 'version_atleast(2.0-dev0)'"
# This config tests "http-restrict-req-hdr-names" option
feature ignore_unknown_macro
server s1 {
rxreq
expect req.http.x-my_hdr == on
txresp
} -start
server s2 {
rxreq
expect req.http.x-my_hdr == <undef>
txresp
} -start
server s3 {
rxreq
expect req.http.x-my_hdr == on
txresp
} -start
server s4 {
rxreq
expect req.http.x-my_hdr == <undef>
txresp
} -start
server s5 {
rxreq
expect req.http.x-my_hdr == on
txresp
} -start
server s6 {
rxreq
expect req.http.x_my_hdr_with_lots_of_underscores == <undef>
txresp
} -start
server s7 {
rxreq
expect req.http.x_my_hdr-1 == <undef>
expect req.http.x-my-hdr-2 == on
txresp
} -start
server s8 {
rxreq
expect req.http.x-my_hdr-1 == <undef>
expect req.http.x-my_hdr-2 == <undef>
txresp
} -start
server s9 {
rxreq
expect req.http.x-my-hdr-with-trailing-underscore_ == <undef>
txresp
} -start
haproxy h1 -conf {
defaults
mode http
timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
timeout client "${HAPROXY_TEST_TIMEOUT-5s}"
timeout server "${HAPROXY_TEST_TIMEOUT-5s}"
frontend fe1
bind "fd@${fe1}"
use_backend be-http1 if { path /req1 }
use_backend be-http2 if { path /req2 }
use_backend be-http3 if { path /req3 }
use_backend be-fcgi1 if { path /req4 }
use_backend be-fcgi2 if { path /req5 }
use_backend be-fcgi3 if { path /req6 }
use_backend be-http4 if { path /req7 }
use_backend be-http5 if { path /req8 }
use_backend be-http6 if { path /req9 }
use_backend be-http7 if { path /req10 }
backend be-http1
server s1 ${s1_addr}:${s1_port}
backend be-http2
option http-restrict-req-hdr-names delete
server s2 ${s2_addr}:${s2_port}
backend be-http3
option http-restrict-req-hdr-names reject
backend be-fcgi1
option http-restrict-req-hdr-names preserve
server s3 ${s3_addr}:${s3_port}
backend be-fcgi2
option http-restrict-req-hdr-names delete
server s4 ${s4_addr}:${s4_port}
backend be-fcgi3
option http-restrict-req-hdr-names reject
backend be-http4
option http-restrict-req-hdr-names delete
server s6 ${s6_addr}:${s6_port}
backend be-http5
option http-restrict-req-hdr-names delete
server s7 ${s7_addr}:${s7_port}
backend be-http6
option http-restrict-req-hdr-names delete
server s8 ${s8_addr}:${s8_port}
backend be-http7
option http-restrict-req-hdr-names delete
server s9 ${s9_addr}:${s9_port}
defaults
mode http
timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
timeout client "${HAPROXY_TEST_TIMEOUT-5s}"
timeout server "${HAPROXY_TEST_TIMEOUT-5s}"
option http-restrict-req-hdr-names preserve
frontend fe2
bind "fd@${fe2}"
default_backend be-fcgi4
backend be-fcgi4
server s5 ${s5_addr}:${s5_port}
fcgi-app my-fcgi-app
docroot ${testdir}
} -start
client c1 -connect ${h1_fe1_sock} {
txreq -req GET -url /req1 -hdr "X-my_hdr: on"
rxresp
expect resp.status == 200
txreq -req GET -url /req2 -hdr "X-my_hdr: on"
rxresp
expect resp.status == 200
txreq -req GET -url /req3 -hdr "X-my_hdr: on"
rxresp
expect resp.status == 403
txreq -req GET -url /req4 -hdr "X-my_hdr: on"
rxresp
expect resp.status == 200
txreq -req GET -url /req5 -hdr "X-my_hdr: on"
rxresp
expect resp.status == 200
txreq -req GET -url /req6 -hdr "X-my_hdr: on"
rxresp
expect resp.status == 403
txreq -req GET -url /req7 -hdr "X_my_hdr_with_lots_of_underscores: on"
rxresp
expect resp.status == 200
txreq -req GET -url /req8 -hdr "X_my_hdr-1: on" -hdr "X-my-hdr-2: on"
rxresp
expect resp.status == 200
txreq -req GET -url /req9 -hdr "X-my_hdr-1: on" -hdr "X-my_hdr-2: on"
rxresp
expect resp.status == 200
txreq -req GET -url /req10 -hdr "X-my-hdr-with-trailing-underscore_: on"
rxresp
expect resp.status == 200
} -run
client c2 -connect ${h1_fe2_sock} {
txreq -req GET -url /req1 -hdr "X-my_hdr: on"
rxresp
expect resp.status == 200
} -run