mirror of
https://git.haproxy.org/git/haproxy.git/
synced 2025-09-21 05:41:26 +02:00
b2f64af341
The description of tests performed on the URI in H1 when 'accept-unsafe-violations-in-http-request' option is wrong. It states that only characters below 32 and 127 are blocked when this option is set, suggesting that otherwise, when it is not set, all invalid characters in the URI, according to the RFC3986, are blocked. But in fact, it is not true. By default all character below 32 and above 127 are blocked. And when 'accept-unsafe-violations-in-http-request' option is set, characters above 127 (excluded) are accepted. But characters in (33..126) are never checked, independently of this option. This patch should fix the issue #2906. It should be backported as far as 3.0. For older versions, the docuementation could also be clarified because this part is not really clear. Note the request URI validation is still under discution because invalid characters in (33.126) are never checked and some users request a stricter parsing.
