mirror of
http://git.haproxy.org/git/haproxy.git/
synced 2024-12-22 12:20:00 +00:00
6492f1f29d
The content-length header parser has its dedicated function, in order to take extreme care about invalid, unparsable, or conflicting values. But there's a corner case in it, by which it stops comparing values when reaching the end of the header. This has for a side effect that an empty value or a value that ends with a comma does not deserve further analysis, and it acts as if the header was absent. While this is not necessarily a problem for the value ending with a comma as it will be cause a header folding and will disappear, it is a problem for the first isolated empty header because this one will not be recontructed when next ones are seen, and will be passed as-is to the backend server. A vulnerable HTTP/1 server hosted behind haproxy that would just use this first value as "0" and ignore the valid one would then not be protected by haproxy and could be attacked this way, taking the payload for an extra request. In field the risk depends on the server. Most commonly used servers already have safe content-length parsers, but users relying on haproxy to protect a known-vulnerable server might be at risk (and the risk of a bug even in a reputable server should never be dismissed). A configuration-based work-around consists in adding the following rule in the frontend, to explicitly reject requests featuring an empty content-length header that would have not be folded into an existing one: http-request deny if { hdr_len(content-length) 0 } The real fix consists in adjusting the parser so that it always expects a value at the beginning of the header or after a comma. It will now reject requests and responses having empty values anywhere in the C-L header. This needs to be backported to all supported versions. Note that the modification was made to functions h1_parse_cont_len_header() and http_parse_cont_len_header(). Prior to 2.8 the latter was in h2_parse_cont_len_header(). One day the two should be refused but the former is also used by Lua. The HTTP messaging reg-tests were completed to test these cases. Thanks to Ben Kallus of Dartmouth College and Narf Industries for reporting this! (this is in GH #2237).
302 lines
6.3 KiB
Plaintext
302 lines
6.3 KiB
Plaintext
varnishtest "HTTP request tests: H1 to H1 (HTX mode supported only for HAProxy >= 1.9)"
|
|
|
|
# Run it with HAPROXY_PROGRAM=$PWD/haproxy varnishtest -l -k -t 1 "$1"
|
|
|
|
feature ignore_unknown_macro
|
|
|
|
server s1 {
|
|
##
|
|
## Handle GET requests
|
|
##
|
|
rxreq
|
|
expect req.bodylen == 0
|
|
expect req.body == ""
|
|
txresp \
|
|
-status 200 \
|
|
-body "response 1"
|
|
|
|
rxreq
|
|
expect req.bodylen == 0
|
|
expect req.body == ""
|
|
txresp \
|
|
-status 200 \
|
|
-body "response 2"
|
|
|
|
rxreq
|
|
expect req.bodylen == 38
|
|
expect req.body == "this must be delivered, like it or not"
|
|
txresp \
|
|
-status 200 \
|
|
-body "response 3"
|
|
|
|
rxreq
|
|
expect req.bodylen == 0
|
|
expect req.body == ""
|
|
txresp \
|
|
-status 200 \
|
|
-body "response 4"
|
|
|
|
accept
|
|
|
|
##
|
|
## Handle HEAD requests
|
|
##
|
|
rxreq
|
|
expect req.bodylen == 0
|
|
expect req.body == ""
|
|
txresp \
|
|
-status 200 \
|
|
-body "response 1"
|
|
|
|
accept
|
|
|
|
rxreq
|
|
expect req.bodylen == 0
|
|
expect req.body == ""
|
|
txresp \
|
|
-status 200 \
|
|
-body "response 2"
|
|
|
|
accept
|
|
|
|
rxreq
|
|
expect req.bodylen == 38
|
|
expect req.body == "this must be delivered, like it or not"
|
|
txresp \
|
|
-status 200 \
|
|
-body "response 3"
|
|
|
|
accept
|
|
|
|
rxreq
|
|
expect req.bodylen == 0
|
|
expect req.body == ""
|
|
txresp \
|
|
-status 200 \
|
|
-body "response 4"
|
|
|
|
accept
|
|
|
|
##
|
|
## Handle POST requests
|
|
##
|
|
# POST request without body
|
|
rxreq
|
|
expect req.bodylen == 0
|
|
expect req.body == ""
|
|
txresp \
|
|
-status 200 \
|
|
-body "response 1"
|
|
|
|
# POST request without body
|
|
rxreq
|
|
expect req.bodylen == 0
|
|
expect req.body == ""
|
|
txresp \
|
|
-status 200 \
|
|
-body "response 2"
|
|
|
|
# POST request with a body
|
|
rxreq
|
|
expect req.bodylen == 12
|
|
expect req.body == "this is sent"
|
|
txresp \
|
|
-status 200 \
|
|
-body "response 3"
|
|
|
|
# POST request without body
|
|
rxreq
|
|
expect req.bodylen == 0
|
|
expect req.body == ""
|
|
txresp \
|
|
-status 200 \
|
|
-body "response 4"
|
|
} -repeat 3 -start
|
|
|
|
haproxy h1 -conf {
|
|
global
|
|
# WT: limit false-positives causing "HTTP header incomplete" due to
|
|
# idle server connections being randomly used and randomly expiring
|
|
# under us.
|
|
tune.idle-pool.shared off
|
|
|
|
defaults
|
|
mode http
|
|
timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
|
|
timeout client "${HAPROXY_TEST_TIMEOUT-5s}"
|
|
timeout server "${HAPROXY_TEST_TIMEOUT-5s}"
|
|
|
|
listen feh1
|
|
bind "fd@${feh1}"
|
|
#bind "fd@${feh2}" proto h2
|
|
server s1 ${s1_addr}:${s1_port}
|
|
} -start
|
|
|
|
# GET requests
|
|
client c1h1 -connect ${h1_feh1_sock} {
|
|
# first request is valid
|
|
txreq \
|
|
-req "GET" \
|
|
-url "/test1.html"
|
|
rxresp
|
|
expect resp.status == 200
|
|
expect resp.body == "response 1"
|
|
|
|
# second request is valid and advertises C-L:0
|
|
txreq \
|
|
-req "GET" \
|
|
-url "/test2.html" \
|
|
-hdr "content-length: 0"
|
|
rxresp
|
|
expect resp.status == 200
|
|
expect resp.body == "response 2"
|
|
|
|
# third request sends a body with a GET
|
|
txreq \
|
|
-req "GET" \
|
|
-url "/test3.html" \
|
|
-body "this must be delivered, like it or not"
|
|
rxresp
|
|
expect resp.status == 200
|
|
expect resp.body == "response 3"
|
|
|
|
# fourth request is valid and advertises C-L:0, and close, and is
|
|
# followed by a string "this is not sent\r\n\r\n" which must be
|
|
# dropped.
|
|
txreq \
|
|
-req "GET" \
|
|
-url "/test4.html" \
|
|
-hdr "content-length: 0" \
|
|
-hdr "connection: close"
|
|
# "this is not sent"
|
|
sendhex "74787973207973206E6F742073656E740D0A0D0A"
|
|
rxresp
|
|
expect resp.status == 200
|
|
expect resp.body == "response 4"
|
|
|
|
# the connection is expected to be closed and no more response must
|
|
# arrive here.
|
|
expect_close
|
|
} -run
|
|
|
|
# HEAD requests
|
|
# Note: for now they fail with varnishtest, which expects the amount of
|
|
# data advertised in the content-length response.
|
|
client c2h1 -connect ${h1_feh1_sock} {
|
|
# first request is valid
|
|
txreq \
|
|
-req "HEAD" \
|
|
-url "/test11.html"
|
|
rxresp
|
|
expect resp.status == 200
|
|
expect resp.body == ""
|
|
|
|
# second request is valid and advertises C-L:0
|
|
txreq \
|
|
-req "HEAD" \
|
|
-url "/test12.html" \
|
|
-hdr "content-length: 0"
|
|
rxresp
|
|
expect resp.status == 200
|
|
expect resp.body == ""
|
|
|
|
# third request sends a body with a HEAD
|
|
txreq \
|
|
-req "HEAD" \
|
|
-url "/test13.html" \
|
|
-body "this must be delivered, like it or not"
|
|
rxresp
|
|
expect resp.status == 200
|
|
expect resp.body == ""
|
|
|
|
# fourth request is valid and advertises C-L:0, and close, and is
|
|
# followed by a string "this is not sent\r\n\r\n" which must be
|
|
# dropped.
|
|
txreq \
|
|
-req "HEAD" \
|
|
-url "/test14.html" \
|
|
-hdr "content-length: 0" \
|
|
-hdr "connection: close"
|
|
# "this is not sent"
|
|
sendhex "74787973207973206E6F742073656E740D0A0D0A"
|
|
rxresp
|
|
expect resp.status == 200
|
|
expect resp.body == ""
|
|
|
|
# the connection is expected to be closed and no more response must
|
|
# arrive here.
|
|
expect_close
|
|
} -run
|
|
|
|
client c3h1 -connect ${h1_feh1_sock} {
|
|
# first request is valid
|
|
txreq \
|
|
-req "POST" \
|
|
-url "/test21.html"
|
|
rxresp
|
|
expect resp.status == 200
|
|
expect resp.body == "response 1"
|
|
|
|
# second request is valid and advertises C-L:0
|
|
txreq \
|
|
-req "POST" \
|
|
-url "/test22.html" \
|
|
-hdr "content-length: 0"
|
|
rxresp
|
|
expect resp.status == 200
|
|
expect resp.body == "response 2"
|
|
|
|
# third request is valid and advertises (and sends) some contents
|
|
txreq \
|
|
-req "POST" \
|
|
-url "/test23.html" \
|
|
-body "this is sent"
|
|
rxresp
|
|
expect resp.status == 200
|
|
expect resp.body == "response 3"
|
|
|
|
# fourth request is valid and advertises C-L:0, and close, and is
|
|
# followed by a string "this is not sent\r\n\r\n" which must be
|
|
# dropped.
|
|
txreq \
|
|
-req "POST" \
|
|
-url "/test24.html" \
|
|
-hdr "content-length: 0" \
|
|
-hdr "connection: close"
|
|
# "this is not sent"
|
|
sendhex "74787973207973206E6F742073656E740D0A0D0A"
|
|
rxresp
|
|
expect resp.status == 200
|
|
expect resp.body == "response 4"
|
|
|
|
# the connection is expected to be closed and no more response must
|
|
# arrive here.
|
|
expect_close
|
|
} -run
|
|
|
|
client c4h1 -connect ${h1_feh1_sock} {
|
|
# this request is invalid and advertises an invalid C-L ending with an
|
|
# empty value, which results in a stream error.
|
|
txreq \
|
|
-req "GET" \
|
|
-url "/test31.html" \
|
|
-hdr "content-length: 0," \
|
|
-hdr "connection: close"
|
|
rxresp
|
|
expect resp.status == 400
|
|
expect_close
|
|
} -run
|
|
|
|
client c5h1 -connect ${h1_feh1_sock} {
|
|
# this request is invalid and advertises an empty C-L, which results
|
|
# in a stream error.
|
|
txreq \
|
|
-req "GET" \
|
|
-url "/test41.html" \
|
|
-hdr "content-length:" \
|
|
-hdr "connection: close"
|
|
rxresp
|
|
expect resp.status == 400
|
|
expect_close
|
|
} -run
|