mirror of
https://git.haproxy.org/git/haproxy.git/
synced 2026-05-09 06:56:09 +02:00
b52a0e6782
As reported by Huangbin Zhan in github issue #3355, we're too lax on the :protocol pseudo header. It is currently accepted with regular CONNECT as well as non-CONNECT methods while it only ought to be accepted with extended CONNECT (i.e. CONNECT after the connection negotiated the RFC8441 extension). Let's refine the check in H2 by leveraging the new flag H2_MSGF_EXT_CONN_OK that is passed by the caller when the connection supports the extension. This is sufficient to sort the various cases. The proto upgrade regtest was updated to verify that CONNECT with :protocol without nego and another method with nego and :protocol both fail. Thanks to Huangbin Zhan (@zhanhb) for the report and helpful reproducer. This needs to be backported to all versions. It relies on these patches first: REGTESTS: http-messaging: always send RFC8441 client settings to use ext connect BUG/MINOR: mux-h2: condition the processing of 8441 extension to global setting MINOR: mux-h2: add a new message flag to indicate ext connect support