RepoMirrors/haproxy
1
0
Fork 0
mirror of http://git.haproxy.org/git/haproxy.git/ synced 2024-12-20 02:30:13 +00:00
Code Issues Packages Projects Releases Wiki Activity
fa463afa8f
haproxy/reg-tests/http-rules
History
Christopher Faulet 18c13d3bd8 MEDIUM: http-ana: Add a proxy option to restrict chars in request header names 
The "http-restrict-req-hdr-names" option can now be set to restrict allowed
characters in the request header names to the "[a-zA-Z0-9-]" charset.

Idea of this option is to not send header names with non-alphanumeric or
hyphen character. It is especially important for FastCGI application because
all those characters are converted to underscore. For instance,
"X-Forwarded-For" and "X_Forwarded_For" are both converted to
"HTTP_X_FORWARDED_FOR". So, header names can be mixed up by FastCGI
applications. And some HAProxy rules may be bypassed by mangling header
names. In addition, some non-HTTP compliant servers may incorrectly handle
requests when header names contain characters ouside the "[a-zA-Z0-9-]"
charset.

When this option is set, the policy must be specify:

  * preserve: It disables the filtering. It is the default mode for HTTP
              proxies with no FastCGI application configured.

  * delete: It removes request headers with a name containing a character
            outside the "[a-zA-Z0-9-]" charset. It is the default mode for
            HTTP backends with a configured FastCGI application.

  * reject: It rejects the request with a 403-Forbidden response if it
            contains a header name with a character outside the
            "[a-zA-Z0-9-]" charset.

The option is evaluated per-proxy and after http-request rules evaluation.

This patch may be backported to avoid any secuirty issue with FastCGI
application (so as far as 2.2).
2022-05-16 16:00:26 +02:00
..
1k.txt
acl_cli_spaces.vtc REGTESTS: extend the default I/O timeouts and make them overridable 2021-11-18 17:57:11 +01:00
agents.acl
converters_ipmask_concat_strcmp_field_word.map
converters_ipmask_concat_strcmp_field_word.vtc REGTESTS: extend the default I/O timeouts and make them overridable 2021-11-18 17:57:11 +01:00
default_rules.vtc BUG/MEDIUM: rules: Be able to use captures defined in defaults section 2022-04-25 15:28:21 +02:00
del_header.vtc REGTESTS: extend the default I/O timeouts and make them overridable 2021-11-18 17:57:11 +01:00
except-forwardfor-originalto.vtc REGTESTS: extend the default I/O timeouts and make them overridable 2021-11-18 17:57:11 +01:00
h1_to_h1c.vtc REGTESTS: extend the default I/O timeouts and make them overridable 2021-11-18 17:57:11 +01:00
h1or2_to_h1c.vtc REGTESTS: extend the default I/O timeouts and make them overridable 2021-11-18 17:57:11 +01:00
http_after_response.vtc REGTESTS: extend the default I/O timeouts and make them overridable 2021-11-18 17:57:11 +01:00
http_return.vtc REGTESTS: extend the default I/O timeouts and make them overridable 2021-11-18 17:57:11 +01:00
lf-file.txt
map_redirect-be.map
map_redirect.map MINOR: http-rules: add a new "ignore-empty" option to redirects. 2021-09-02 17:06:18 +02:00
map_redirect.vtc REGTESTS: extend the default I/O timeouts and make them overridable 2021-11-18 17:57:11 +01:00
map_regm_with_backref.map
map_regm_with_backref.vtc REGTESTS: extend the default I/O timeouts and make them overridable 2021-11-18 17:57:11 +01:00
normalize_uri.vtc REGTESTS: fix the race conditions in normalize_uri.vtc 2022-02-28 17:16:55 +01:00
path_and_pathq.vtc REGTESTS: extend the default I/O timeouts and make them overridable 2021-11-18 17:57:11 +01:00
restrict_req_hdr_names.vtc MEDIUM: http-ana: Add a proxy option to restrict chars in request header names 2022-05-16 16:00:26 +02:00
strict_rw_mode.vtc REGTESTS: extend the default I/O timeouts and make them overridable 2021-11-18 17:57:11 +01:00