mirror of
http://git.haproxy.org/git/haproxy.git/
synced 2025-01-12 00:39:32 +00:00
4b85a963be
When using `option http-restrict-req-hdr-names delete`, HAproxy may crash or delete wrong header after receiving request containing multiple forbidden characters in single header name; exact behavior depends on number of request headers, number of forbidden characters and position of header containing them. This patch fixes GitHub issue #1822. Must be backported as far as 2.2 (buggy feature got included in 2.2.25, 2.4.18 and 2.5.8).
186 lines
4.3 KiB
Plaintext
186 lines
4.3 KiB
Plaintext
varnishtest "http-restrict-req-hdr-names option tests"
|
|
feature cmd "$HAPROXY_PROGRAM -cc 'version_atleast(2.0-dev0)'"
|
|
|
|
# This config tests "http-restrict-req-hdr-names" option
|
|
|
|
feature ignore_unknown_macro
|
|
|
|
server s1 {
|
|
rxreq
|
|
expect req.http.x-my_hdr == on
|
|
txresp
|
|
} -start
|
|
|
|
server s2 {
|
|
rxreq
|
|
expect req.http.x-my_hdr == <undef>
|
|
txresp
|
|
} -start
|
|
|
|
server s3 {
|
|
rxreq
|
|
expect req.http.x-my_hdr == on
|
|
txresp
|
|
} -start
|
|
|
|
server s4 {
|
|
rxreq
|
|
expect req.http.x-my_hdr == <undef>
|
|
txresp
|
|
} -start
|
|
|
|
server s5 {
|
|
rxreq
|
|
expect req.http.x-my_hdr == on
|
|
txresp
|
|
} -start
|
|
|
|
server s6 {
|
|
rxreq
|
|
expect req.http.x_my_hdr_with_lots_of_underscores == <undef>
|
|
txresp
|
|
} -start
|
|
|
|
server s7 {
|
|
rxreq
|
|
expect req.http.x_my_hdr-1 == <undef>
|
|
expect req.http.x-my-hdr-2 == on
|
|
txresp
|
|
} -start
|
|
|
|
server s8 {
|
|
rxreq
|
|
expect req.http.x-my_hdr-1 == <undef>
|
|
expect req.http.x-my_hdr-2 == <undef>
|
|
txresp
|
|
} -start
|
|
|
|
server s9 {
|
|
rxreq
|
|
expect req.http.x-my-hdr-with-trailing-underscore_ == <undef>
|
|
txresp
|
|
} -start
|
|
|
|
haproxy h1 -conf {
|
|
defaults
|
|
mode http
|
|
timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
|
|
timeout client "${HAPROXY_TEST_TIMEOUT-5s}"
|
|
timeout server "${HAPROXY_TEST_TIMEOUT-5s}"
|
|
|
|
frontend fe1
|
|
bind "fd@${fe1}"
|
|
use_backend be-http1 if { path /req1 }
|
|
use_backend be-http2 if { path /req2 }
|
|
use_backend be-http3 if { path /req3 }
|
|
use_backend be-fcgi1 if { path /req4 }
|
|
use_backend be-fcgi2 if { path /req5 }
|
|
use_backend be-fcgi3 if { path /req6 }
|
|
use_backend be-http4 if { path /req7 }
|
|
use_backend be-http5 if { path /req8 }
|
|
use_backend be-http6 if { path /req9 }
|
|
use_backend be-http7 if { path /req10 }
|
|
|
|
backend be-http1
|
|
server s1 ${s1_addr}:${s1_port}
|
|
|
|
backend be-http2
|
|
option http-restrict-req-hdr-names delete
|
|
server s2 ${s2_addr}:${s2_port}
|
|
|
|
backend be-http3
|
|
option http-restrict-req-hdr-names reject
|
|
|
|
backend be-fcgi1
|
|
option http-restrict-req-hdr-names preserve
|
|
server s3 ${s3_addr}:${s3_port}
|
|
|
|
backend be-fcgi2
|
|
option http-restrict-req-hdr-names delete
|
|
server s4 ${s4_addr}:${s4_port}
|
|
|
|
backend be-fcgi3
|
|
option http-restrict-req-hdr-names reject
|
|
|
|
backend be-http4
|
|
option http-restrict-req-hdr-names delete
|
|
server s6 ${s6_addr}:${s6_port}
|
|
|
|
backend be-http5
|
|
option http-restrict-req-hdr-names delete
|
|
server s7 ${s7_addr}:${s7_port}
|
|
|
|
backend be-http6
|
|
option http-restrict-req-hdr-names delete
|
|
server s8 ${s8_addr}:${s8_port}
|
|
|
|
backend be-http7
|
|
option http-restrict-req-hdr-names delete
|
|
server s9 ${s9_addr}:${s9_port}
|
|
|
|
defaults
|
|
mode http
|
|
timeout connect "${HAPROXY_TEST_TIMEOUT-5s}"
|
|
timeout client "${HAPROXY_TEST_TIMEOUT-5s}"
|
|
timeout server "${HAPROXY_TEST_TIMEOUT-5s}"
|
|
option http-restrict-req-hdr-names preserve
|
|
|
|
frontend fe2
|
|
bind "fd@${fe2}"
|
|
default_backend be-fcgi4
|
|
|
|
backend be-fcgi4
|
|
server s5 ${s5_addr}:${s5_port}
|
|
|
|
fcgi-app my-fcgi-app
|
|
docroot ${testdir}
|
|
} -start
|
|
|
|
client c1 -connect ${h1_fe1_sock} {
|
|
txreq -req GET -url /req1 -hdr "X-my_hdr: on"
|
|
rxresp
|
|
expect resp.status == 200
|
|
|
|
txreq -req GET -url /req2 -hdr "X-my_hdr: on"
|
|
rxresp
|
|
expect resp.status == 200
|
|
|
|
txreq -req GET -url /req3 -hdr "X-my_hdr: on"
|
|
rxresp
|
|
expect resp.status == 403
|
|
|
|
txreq -req GET -url /req4 -hdr "X-my_hdr: on"
|
|
rxresp
|
|
expect resp.status == 200
|
|
|
|
txreq -req GET -url /req5 -hdr "X-my_hdr: on"
|
|
rxresp
|
|
expect resp.status == 200
|
|
|
|
txreq -req GET -url /req6 -hdr "X-my_hdr: on"
|
|
rxresp
|
|
expect resp.status == 403
|
|
|
|
txreq -req GET -url /req7 -hdr "X_my_hdr_with_lots_of_underscores: on"
|
|
rxresp
|
|
expect resp.status == 200
|
|
|
|
txreq -req GET -url /req8 -hdr "X_my_hdr-1: on" -hdr "X-my-hdr-2: on"
|
|
rxresp
|
|
expect resp.status == 200
|
|
|
|
txreq -req GET -url /req9 -hdr "X-my_hdr-1: on" -hdr "X-my_hdr-2: on"
|
|
rxresp
|
|
expect resp.status == 200
|
|
|
|
txreq -req GET -url /req10 -hdr "X-my-hdr-with-trailing-underscore_: on"
|
|
rxresp
|
|
expect resp.status == 200
|
|
} -run
|
|
|
|
client c2 -connect ${h1_fe2_sock} {
|
|
txreq -req GET -url /req1 -hdr "X-my_hdr: on"
|
|
rxresp
|
|
expect resp.status == 200
|
|
} -run
|