mirror of
https://git.haproxy.org/git/haproxy.git/
synced 2025-08-06 07:07:04 +02:00
6492f1f29d
The content-length header parser has its dedicated function, in order
to take extreme care about invalid, unparsable, or conflicting values.
But there's a corner case in it, by which it stops comparing values
when reaching the end of the header. This has for a side effect that
an empty value or a value that ends with a comma does not deserve
further analysis, and it acts as if the header was absent.
While this is not necessarily a problem for the value ending with a
comma as it will be cause a header folding and will disappear, it is a
problem for the first isolated empty header because this one will not
be recontructed when next ones are seen, and will be passed as-is to the
backend server. A vulnerable HTTP/1 server hosted behind haproxy that
would just use this first value as "0" and ignore the valid one would
then not be protected by haproxy and could be attacked this way, taking
the payload for an extra request.
In field the risk depends on the server. Most commonly used servers
already have safe content-length parsers, but users relying on haproxy
to protect a known-vulnerable server might be at risk (and the risk of
a bug even in a reputable server should never be dismissed).
A configuration-based work-around consists in adding the following rule
in the frontend, to explicitly reject requests featuring an empty
content-length header that would have not be folded into an existing
one:
http-request deny if { hdr_len(content-length) 0 }
The real fix consists in adjusting the parser so that it always expects a
value at the beginning of the header or after a comma. It will now reject
requests and responses having empty values anywhere in the C-L header.
This needs to be backported to all supported versions. Note that the
modification was made to functions h1_parse_cont_len_header() and
http_parse_cont_len_header(). Prior to 2.8 the latter was in
h2_parse_cont_len_header(). One day the two should be refused but the
former is also used by Lua.
The HTTP messaging reg-tests were completed to test these cases.
Thanks to Ben Kallus of Dartmouth College and Narf Industries for
reporting this! (this is in GH #2237).
|
||
|---|---|---|
| .. | ||
| balance | ||
| cache | ||
| checks | ||
| compression | ||
| connection | ||
| contrib | ||
| converter | ||
| filters | ||
| http-capture | ||
| http-cookies | ||
| http-errorfiles | ||
| http-messaging | ||
| http-rules | ||
| http-set-timeout | ||
| jwt | ||
| log | ||
| lua | ||
| mailers | ||
| mcli | ||
| peers | ||
| sample_fetches | ||
| seamless-reload | ||
| server | ||
| spoe | ||
| ssl | ||
| startup | ||
| stick-table | ||
| stickiness | ||
| stream | ||
| tcp-rules | ||
| webstats | ||
| README | ||
* Regression testing for HAProxy with VTest *
This little README file is about how to compile and run vtest test case files (VTC files)
to test HAProxy for any regression.
To do so, you will have to compile vtest program sources which depends on
Varnish cache application sources. vtest, formerly varnishtest, is a very useful
program which has been developed to test Varnish cache application. vtest has been
modified in collaboration with Varnish cache conceptor Poul-Henning Kamp to support
HAProxy in addition to Varnish cache.
See also: doc/regression-testing.txt
* vtest compilation *
$ git clone https://github.com/vtest/VTest
$ cd VTest
$ make vtest
Then vtest program may be found at the root directory of vtest sources directory.
The Varnish cache manuals are located in 'man' directory of Varnish cache sources
directory. You will have to have a look at varnishtest(7) and vtc(7) manuals to
use vtest.
Some information may also be found in doc/regression-testing.txt in HAProxy
sources.
Note that VTC files for Varnish cache may be found in bin/varnishtest/tests directory
of Varnish cache sources directory which may be found here:
https://github.com/varnishcache/varnish-cache
* vtest execution *
You must set HAPROXY_PROGRAM environment variable to give the location
of the HAProxy program to test to vtest:
$ HAPROXY_PROGRAM=<my haproxy program> vtest ...
The HAProxy VTC files found in HAProxy sources may be run with the reg-tests
Makefile target. You must set the VTEST_PROGRAM environment variable to
give the location of the vtest program which has been previously compiled.
$ VTEST_PROGRAM=<my vtest program> make reg-tests
"reg-tests" Makefile target run scripts/run-regtest.sh script.
To get more information about this script run it with --help option.
Note that vtest is run with -t10 and -l option. -l option is to keep
keep vtest temporary directory in case of failed test cases. core files
may be found in this directory (if enabled by ulimit).
* vtest patches for HAProxy VTC files *
When producing a patch to add a VTC regression testing file to reg-tests directory,
please follow these simple rules:
- If your VTC file needs others files, if possible, use the same basename as that
of the VTC file,
- Put these files in a directory with the same name as the code area concerned
by the bug ('peers', 'lua', 'acl' etc).
Please note that most tests use a common set of timeouts defined by the
environment variable HAPROXY_TEST_TIMEOUT. As much as possible, for regular I/O
(i.e. not errors), please try to reuse that setting so that the value may
easily be adjusted when running in some particularly slow environments, or be
shortened to fail faster on developers' machines.