This commit prevents forwarding of an HTTP/2 Extended CONNECT when "h2c"
or "h2" token is set as targetted protocol. Contrary to the previous
commit which deals with HTTP/1 mux, this time the request is rejected
and a RESET_STREAM is reported to the client.
This must be backported up to 2.4 after a period of observation.
rxresp
expect resp.status == 200
+}
+
+# extended connect with invalid "h2c" protocol
+client c8_h2c -connect ${hap_frt_h2_h1_sock} {
+ txpri
+ stream 0 {
+ txsettings
+ rxsettings
+ txsettings -ack
+ rxsettings
+ expect settings.ack == true
+ } -run
+
+ stream 1 {
+ txreq \
+ -req "CONNECT" \
+ -scheme "http" \
+ -url "/" \
+ -hdr ":authority" "127.0.0.1" \
+ -hdr ":protocol" "h2c"
+
+ rxrst
+ expect rst.err == 1
+ } -run
} -run
}
if (*msgf & H2_MSGF_EXT_CONNECT) {
+ /* Consider "h2c" / "h2" as invalid protocol value for Extended CONNECT. */
+ if (isteqi(phdr_val[H2_PHDR_IDX_PROT], ist("h2c")) ||
+ isteqi(phdr_val[H2_PHDR_IDX_PROT], ist("h2"))) {
+ goto fail;
+ }
+
if (!htx_add_header(htx, ist("upgrade"), phdr_val[H2_PHDR_IDX_PROT]))
goto fail;
if (!htx_add_header(htx, ist("connection"), ist("upgrade")))
projects / thirdparty / haproxy.git / commitdiff
