From: Willy Tarreau <w@1wt.eu>
Date: Fri, 10 Nov 2017 18:38:10 +0000 (+0100)
Subject: MEDIUM: http: always reject the "PRI" method
X-Git-Tag: v1.8-rc3~1
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=916597903cc0e1022db33e01dd832aee76218b99;p=thirdparty%2Fhaproxy.git

MEDIUM: http: always reject the "PRI" method

This method was reserved for the HTTP/2 connection preface, must never
be used and must be rejected. In normal situations it doesn't happen,
but it may be visible if a TCP frontend has alpn "h2" enabled, and
forwards to an HTTP backend which tries to parse the request. Before
this patch it would pass the wrong request to the backend server, now
it properly returns 400 bad req.

This patch should probably be backported to stable versions.
---

diff --git a/src/proto_http.c b/src/proto_http.c
index 9909eedc36..88e2f06ebb 100644
--- a/src/proto_http.c
+++ b/src/proto_http.c
@@ -1899,6 +1899,12 @@ int http_wait_for_request(struct stream *s, struct channel *req, int an_bit)
 	/* we can make use of server redirect on GET and HEAD */
 	if (txn->meth == HTTP_METH_GET || txn->meth == HTTP_METH_HEAD)
 		s->flags |= SF_REDIRECTABLE;
+	else if (txn->meth == HTTP_METH_OTHER &&
+		 msg->sl.rq.m_l == 3 && memcmp(req->buf->p, "PRI", 3) == 0) {
+		/* PRI is reserved for the HTTP/2 preface */
+		msg->err_pos = 0;
+		goto return_bad_req;
+	}
 
 	/*
 	 * 2: check if the URI matches the monitor_uri.