BUG/MINOR: h3: reject request URI with invalid characters

Ensure that the HTX start-line generated after parsing an HTTP/3 request
does not contain any invalid character, i.e. control or whitespace
characters.

Note that for now path is used directly as URI. Thus, the check is
performed directly over it. A patch will change this to generate an
absolute-form URI in most cases, but it won't be backported to avoid
configuration breaking in stable versions.

This must be backported up to 2.6.

diff --git a/src/h3.c b/src/h3.c
index a66a48a44824b6cac36c873937eefeb221b7dad3..c99619b727fe024795051b80040f62e1d83ae0ba 100644 (file)
--- a/src/h3.c
+++ b/src/h3.c
@@ -752,6 +752,18 @@ static ssize_t h3_headers_to_htx(struct qcs *qcs, const struct buffer *buf,
                goto out;
        }
 
+       /* Ensure that final URI does not contains LWS nor CTL characters. */
+       for (i = 0; i < path.len; i++) {
+               unsigned char c = istptr(path)[i];
+               if (HTTP_IS_LWS(c) || HTTP_IS_CTL(c)) {
+                       TRACE_ERROR("invalid character in path", H3_EV_RX_FRAME|H3_EV_RX_HDR, qcs->qcc->conn, qcs);
+                       h3s->err = H3_ERR_MESSAGE_ERROR;
+                       qcc_report_glitch(h3c->qcc, 1);
+                       len = -1;
+                       goto out;
+               }
+       }
+
        sl = htx_add_stline(htx, HTX_BLK_REQ_SL, flags, meth, path, ist("HTTP/3.0"));
        if (!sl) {
                len = -1;