From 718e2a73a2f919f921b0dc4b0e46727718256831 Mon Sep 17 00:00:00 2001
From: Thierry FOURNIER <tfournier@arpalert.org>
Date: Sun, 20 Dec 2015 20:13:14 +0100
Subject: [PATCH] BUG/MEDIUM: lua: Forbid HTTP applets from being called from
 tcp rulesets

HTTP applets request requires everything initilized by
"http_process_request" (analyzer flag AN_REQ_HTTP_INNER).
The applet will be immediately initilized, but its before
the call of this analyzer.

Due to this problem HTTP applets could be called with uncompletely
initialized http_txn.

This fix must be backported to 1.6.
---
 src/hlua.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/src/hlua.c b/src/hlua.c
index b399b269c..626053368 100644
--- a/src/hlua.c
+++ b/src/hlua.c
@@ -6062,6 +6062,17 @@ static enum act_parse_ret action_register_service_http(const char **args, int *c
 {
 	struct hlua_function *fcn = (struct hlua_function *)rule->kw->private;
 
+	/* HTTP applets are forbidden in tcp-request rules.
+	 * HTTP applet request requires everything initilized by
+	 * "http_process_request" (analyzer flag AN_REQ_HTTP_INNER).
+	 * The applet will be immediately initilized, but its before
+	 * the call of this analyzer.
+	 */
+	if (rule->from != ACT_F_HTTP_REQ) {
+		memprintf(err, "HTTP applets are forbidden from 'tcp-request' rulesets");
+		return ACT_RET_PRS_ERR;
+	}
+
 	/* Memory for the rule. */
 	rule->arg.hlua_rule = calloc(1, sizeof(*rule->arg.hlua_rule));
 	if (!rule->arg.hlua_rule) {