From: Amaury Denoyelle <adenoyelle@haproxy.com>
Date: Wed, 16 Apr 2025 13:27:03 +0000 (+0200)
Subject: BUG/MINOR: h3: reject request URI with invalid characters
X-Git-Tag: v3.2-dev11~42
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=1faa1285aacaaacd2c2e062d87f04aa481843862;p=thirdparty%2Fhaproxy.git

BUG/MINOR: h3: reject request URI with invalid characters

Ensure that the HTX start-line generated after parsing an HTTP/3 request
does not contain any invalid character, i.e. control or whitespace
characters.

Note that for now path is used directly as URI. Thus, the check is
performed directly over it. A patch will change this to generate an
absolute-form URI in most cases, but it won't be backported to avoid
configuration breaking in stable versions.

This must be backported up to 2.6.
---

diff --git a/src/h3.c b/src/h3.c
index a66a48a44..c99619b72 100644
--- a/src/h3.c
+++ b/src/h3.c
@@ -752,6 +752,18 @@ static ssize_t h3_headers_to_htx(struct qcs *qcs, const struct buffer *buf,
 		goto out;
 	}
 
+	/* Ensure that final URI does not contains LWS nor CTL characters. */
+	for (i = 0; i < path.len; i++) {
+		unsigned char c = istptr(path)[i];
+		if (HTTP_IS_LWS(c) || HTTP_IS_CTL(c)) {
+			TRACE_ERROR("invalid character in path", H3_EV_RX_FRAME|H3_EV_RX_HDR, qcs->qcc->conn, qcs);
+			h3s->err = H3_ERR_MESSAGE_ERROR;
+			qcc_report_glitch(h3c->qcc, 1);
+			len = -1;
+			goto out;
+		}
+	}
+
 	sl = htx_add_stline(htx, HTX_BLK_REQ_SL, flags, meth, path, ist("HTTP/3.0"));
 	if (!sl) {
 		len = -1;