mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2025-09-22 06:11:32 +02:00
Code Issues Projects Releases Wiki Activity

MEDIUM: proxy: Reject some header names for 'http-send-name-header' directive

Browse Source 
From time to time, we saw the 'http-send-name-header' directive used to
overwrite the Host header to workaround limitations of a buggy application.
Most of time, this led to troubles. This was never officially supported and
each time we strongly discouraged anyone to do so. We already thought to
deprecate this directive, but it seems to be still used by few people. So
for now, we decided to strengthen the tests performed on it.

The header name is now checked during the configuration parsing to forbid
some risky names. 'Host', 'Content-Length', 'Transfer-Encoding' and
'Connection' header names are now rejected. But more headers could be added
in future.
This commit is contained in:
Christopher Faulet 2025-08-28 15:05:57 +02:00
parent 2afcba1eb7
commit 8f3b537547
2 changed files with 11 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
doc/configuration.txt
View File

@ -8366,14 +8366,8 @@ http-send-name-header [<header>]
very late in the connection setup, it may have unexpected effects on already very late in the connection setup, it may have unexpected effects on already
modified headers. For example using it with transport-level header such as modified headers. For example using it with transport-level header such as
connection, content-length, transfer-encoding and so on will likely result in connection, content-length, transfer-encoding and so on will likely result in
invalid requests being sent to the server. Additionally it has been reported invalid requests being sent to the server. This is why following header names
that this directive is currently being used as a way to overwrite the Host are forbidden: host, content-length, transfer-encoding and connection.
header field in outgoing requests; while this trick has been known to work
as a side effect of the feature for some time, it is not officially supported
and might possibly not work anymore in a future version depending on the
technical difficulties this feature induces. A long-term solution instead
consists in fixing the application which required this trick so that it binds
to the correct host name.
See also : "server" See also : "server"

9
src/cfgparse-listen.c
View File

@ -1476,6 +1476,15 @@ int cfg_parse_listen(const char *file, int linenum, char **args, int kwm)
err_code |= ERR_ALERT | ERR_FATAL; err_code |= ERR_ALERT | ERR_FATAL;
goto out; goto out;
} }
if (strcasecmp(args[1], "host") == 0 ||
strcasecmp(args[1], "content-length") == 0 ||
strcasecmp(args[1], "transfer-encoding") == 0 ||
strcasecmp(args[1], "connection") == 0) {
ha_alert("parsing [%s:%d] : '%s' cannot be used as header name for '%s' directive.\n",
file, linenum, args[1], args[0]);
err_code |= ERR_ALERT | ERR_FATAL;
goto out;
}
/* set the desired header name, in lower case */ /* set the desired header name, in lower case */
istfree(&curproxy->server_id_hdr_name); istfree(&curproxy->server_id_hdr_name);