From d3d9d83f036871c1bf76399e8ccacffaf05d5943 Mon Sep 17 00:00:00 2001
From: Christopher Faulet <cfaulet@haproxy.com>
Date: Tue, 14 May 2024 15:06:48 +0200
Subject: [PATCH] BUG/MEDIUM: h1: Reject CONNECT request if the target has a
 scheme

The target of a CONNECT request must not have scheme. However, this was not
checked during the message parsing. It is now rejected.

This patch may be backported as far as 2.4.
---
 src/h1.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/h1.c b/src/h1.c
index a1393ca00..b20327c10 100644
--- a/src/h1.c
+++ b/src/h1.c
@@ -183,11 +183,11 @@ int h1_parse_xfer_enc_header(struct h1m *h1m, struct ist value)
  * is hast header, its value is normalized. 0 is returned on success, -1 if the
  * authority is invalid and -2 if the host is invalid.
  */
-static int h1_validate_connect_authority(struct ist authority, struct ist *host_hdr)
+static int h1_validate_connect_authority(struct ist scheme, struct ist authority, struct ist *host_hdr)
 {
 	struct ist uri_host, uri_port, host, host_port;
 
-	if (!isttest(authority))
+	if (isttest(scheme) || !isttest(authority))
 		goto invalid_authority;
 	uri_host = authority;
 	uri_port = http_get_host_port(authority);
@@ -1112,7 +1112,7 @@ int h1_headers_to_hdr_list(char *start, const char *stop,
 			if (sl.rq.meth == HTTP_METH_CONNECT) {
 				struct ist *host = ((host_idx != -1) ? &hdr[host_idx].v : NULL);
 
-				ret = h1_validate_connect_authority(authority, host);
+				ret = h1_validate_connect_authority(scheme, authority, host);
 				if (ret < 0) {
 					if (h1m->err_pos < -1) {
 						state = H1_MSG_LAST_LF;