mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2025-08-07 15:47:01 +02:00
Code Issues Projects Releases Wiki Activity

MEDIUM: h1: enlarge the scope of accepted version chars with accept-invalid-http-request

Browse Source 
We used to support both RTSP and HTTP protocol version names with and
without accept-invalid-http-request, but since this is based on the
characters themselves, any protocol made of chars {0-9/.HPRST} was
possible and not others. Now that such non-standard protocols are
restricted to accept-invalid-http-request, there's no reason for not
allowing other letters. With this patch, characters {0-9./A-Z} are
permitted when the option is set.
This commit is contained in:
Willy Tarreau 2022-05-24 15:34:26 +02:00
parent 8f4116ea65
commit 1ba30167a0
2 changed files with 23 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
doc/configuration.txt
View File

@ -8372,8 +8372,8 @@ no option accept-invalid-http-request
not allowed at all. HAProxy always blocks a number of them (0..32, 127). The not allowed at all. HAProxy always blocks a number of them (0..32, 127). The
remaining ones are blocked by default unless this option is enabled. This remaining ones are blocked by default unless this option is enabled. This
option also relaxes the test on the HTTP version, it allows HTTP/0.9 requests option also relaxes the test on the HTTP version, it allows HTTP/0.9 requests
to pass through (no version specified) and multiple digits for both the major to pass through (no version specified), as well as different protocol names
and the minor version. (e.g. RTSP), and multiple digits for both the major and the minor version.
This option should never be enabled by default as it hides application bugs This option should never be enabled by default as it hides application bugs
and open security breaches. It should only be deployed after a problem has and open security breaches. It should only be deployed after a problem has

42
src/http.c
View File

@ -90,32 +90,32 @@ const unsigned char http_char_classes[256] = {
['>'] = HTTP_FLG_SEP, ['>'] = HTTP_FLG_SEP,
['?'] = HTTP_FLG_SEP, ['?'] = HTTP_FLG_SEP,
['@'] = HTTP_FLG_SEP, ['@'] = HTTP_FLG_SEP,
['A'] = HTTP_FLG_TOK, ['A'] = HTTP_FLG_TOK | HTTP_FLG_VER,
['B'] = HTTP_FLG_TOK, ['B'] = HTTP_FLG_TOK | HTTP_FLG_VER,
['C'] = HTTP_FLG_TOK, ['C'] = HTTP_FLG_TOK | HTTP_FLG_VER,
['D'] = HTTP_FLG_TOK, ['D'] = HTTP_FLG_TOK | HTTP_FLG_VER,
['E'] = HTTP_FLG_TOK, ['E'] = HTTP_FLG_TOK | HTTP_FLG_VER,
['F'] = HTTP_FLG_TOK, ['F'] = HTTP_FLG_TOK | HTTP_FLG_VER,
['G'] = HTTP_FLG_TOK, ['G'] = HTTP_FLG_TOK | HTTP_FLG_VER,
['H'] = HTTP_FLG_TOK | HTTP_FLG_VER, ['H'] = HTTP_FLG_TOK | HTTP_FLG_VER,
['I'] = HTTP_FLG_TOK, ['I'] = HTTP_FLG_TOK | HTTP_FLG_VER,
['J'] = HTTP_FLG_TOK, ['J'] = HTTP_FLG_TOK | HTTP_FLG_VER,
['K'] = HTTP_FLG_TOK, ['K'] = HTTP_FLG_TOK | HTTP_FLG_VER,
['L'] = HTTP_FLG_TOK, ['L'] = HTTP_FLG_TOK | HTTP_FLG_VER,
['M'] = HTTP_FLG_TOK, ['M'] = HTTP_FLG_TOK | HTTP_FLG_VER,
['N'] = HTTP_FLG_TOK, ['N'] = HTTP_FLG_TOK | HTTP_FLG_VER,
['O'] = HTTP_FLG_TOK, ['O'] = HTTP_FLG_TOK | HTTP_FLG_VER,
['P'] = HTTP_FLG_TOK | HTTP_FLG_VER, ['P'] = HTTP_FLG_TOK | HTTP_FLG_VER,
['Q'] = HTTP_FLG_TOK, ['Q'] = HTTP_FLG_TOK | HTTP_FLG_VER,
['R'] = HTTP_FLG_TOK | HTTP_FLG_VER, ['R'] = HTTP_FLG_TOK | HTTP_FLG_VER,
['S'] = HTTP_FLG_TOK | HTTP_FLG_VER, ['S'] = HTTP_FLG_TOK | HTTP_FLG_VER,
['T'] = HTTP_FLG_TOK | HTTP_FLG_VER, ['T'] = HTTP_FLG_TOK | HTTP_FLG_VER,
['U'] = HTTP_FLG_TOK, ['U'] = HTTP_FLG_TOK | HTTP_FLG_VER,
['V'] = HTTP_FLG_TOK, ['V'] = HTTP_FLG_TOK | HTTP_FLG_VER,
['W'] = HTTP_FLG_TOK, ['W'] = HTTP_FLG_TOK | HTTP_FLG_VER,
['X'] = HTTP_FLG_TOK, ['X'] = HTTP_FLG_TOK | HTTP_FLG_VER,
['Y'] = HTTP_FLG_TOK, ['Y'] = HTTP_FLG_TOK | HTTP_FLG_VER,
['Z'] = HTTP_FLG_TOK, ['Z'] = HTTP_FLG_TOK | HTTP_FLG_VER,
['['] = HTTP_FLG_SEP, ['['] = HTTP_FLG_SEP,
[ 92] = HTTP_FLG_SEP, [ 92] = HTTP_FLG_SEP,
[']'] = HTTP_FLG_SEP, [']'] = HTTP_FLG_SEP,