From: Christopher Faulet <cfaulet@haproxy.com>
Date: Tue, 10 Jan 2023 17:51:55 +0000 (+0100)
Subject: BUG/MINOR: h1-htx: Remove flags about protocol upgrade on non-101 responses
X-Git-Tag: v2.8-dev2~61
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=5f36bfe42e6fe1daa764c38a8ba158b710e52530;p=thirdparty%2Fhaproxy.git

BUG/MINOR: h1-htx: Remove flags about protocol upgrade on non-101 responses

It is possible to have an "upgrade:" header and the corresponding value in
the "connection:" header for a non-101 response. It happens for
426-Upgrade-Required messages. However, on HAProxy side, a parsing error is
reported for this kind of message because no websocket key header
("sec-websocket-accept:") is found in the response.

So a possible fix could be to not perform this test for non-101
responses. However, having flags about protocol upgrade on this kind of
response could lead to other bugs. Instead, corresponding flags are
removed. Thus, during the H1 response post-parsing, H1_MF_CONN_UPG and
H1_MF_UPG_WEBSOCKET flags are removed from any non-101 response.

This patch should fix the issue #1997. It must be backported as far as 2.4.
---

diff --git a/src/h1_htx.c b/src/h1_htx.c
index 75f9dca9d3..1b79584a3f 100644
--- a/src/h1_htx.c
+++ b/src/h1_htx.c
@@ -279,6 +279,9 @@ static int h1_postparse_res_hdrs(struct h1m *h1m, union h1_sl *h1sl, struct htx
 		goto output_full;
 	}
 
+	if ((h1m->flags & (H1_MF_CONN_UPG|H1_MF_UPG_WEBSOCKET)) && code != 101)
+		h1m->flags &= ~(H1_MF_CONN_UPG|H1_MF_UPG_WEBSOCKET);
+
 	if (((h1m->flags & H1_MF_METH_CONNECT) && code >= 200 && code < 300) || code == 101) {
 		h1m->flags &= ~(H1_MF_CLEN|H1_MF_CHNK);
 		h1m->flags |= H1_MF_XFER_LEN;