MEDIUM: http-ana: Refuse invalid 101-switching-protocols responses

A 101-switching-protocols response must contain a Connection header with the Upgrade option. And this response must only be received from a server if the client explicitly requested a protocol upgrade. Thus, the request must also contain a Connection header with the Upgrade option. If not, a 502-bad-gateway response is returned to the client. This way, a tunnel is only established if both sides are agree. It is closer to what the RFC says, but it remains a bit flexible because there is no check on the Upgrade header itself. However, that's probably enough to ensure a tunnel is not established when not requested. This one is not tagged as a bug. But it may be backported, at least to 2.3. It relies on : * MINOR: htx/http-ana: Save info about Upgrade option in the Connection header
2026-05-04 20:46:11 +02:00 · 2021-01-08 16:02:05 +01:00 · 2021-01-08 16:02:05 +01:00 · 6e6c7b1284
commit 6e6c7b1284
parent 576c358508
1 changed files with 9 additions and 0 deletions
--- a/src/http_ana.c
+++ b/src/http_ana.c
@ -1610,6 +1610,15 @@ int http_wait_for_response(struct stream *s, struct channel *rep, int an_bit)
 		goto next_one;
 	}

+	/* A 101-switching-protocols must contains a Connection header with the
+	 * "upgrade" option and the request too. It means both are agree to
+	 * upgrade. It is not so strict because there is no test on the Upgrade
+	 * header content. But it is probably stronger enough for now.
+	 */
+	if (txn->status == 101 &&
+	    (!(txn->req.flags & HTTP_MSGF_CONN_UPG) || !(txn->rsp.flags & HTTP_MSGF_CONN_UPG)))
+		goto return_bad_res;
+
 	/*
 	 * 2: check for cacheability.
 	 */