From: Willy Tarreau Date: Tue, 5 Mar 2019 09:47:37 +0000 (+0100) Subject: BUG/MEDIUM: h2/htx: verify that :path doesn't contain invalid chars X-Git-Tag: v2.0-dev2~126 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=9255e7e9713a03486f8fc4ac8deba47a9e621dfe;p=thirdparty%2Fhaproxy.git BUG/MEDIUM: h2/htx: verify that :path doesn't contain invalid chars While the legacy code converts h2 to h1 and provides some control over what is passed, in htx mode there is no such control and it is possible to pass control chars and linear white spaces in the path, which are possibly reencoded differently once passed to the H1 side. HTX supports parse error reporting using a special flag. Let's check the correctness of the :path pseudo header and report any anomaly in the HTX flag. Thanks to Jérôme Magnin for reporting this bug with a working reproducer. This fix must be backported to 1.9 along with the two previous patches ("MINOR: htx: unconditionally handle parsing errors in requests or responses" and "MINOR: mux-h2: always pass HTX_FL_PARSING_ERROR between h2s and buf on RX"). --- diff --git a/src/h2.c b/src/h2.c index a4578f468d..9c02cd3c54 100644 --- a/src/h2.c +++ b/src/h2.c @@ -492,6 +492,7 @@ static struct htx_sl *h2_prepare_htx_reqline(uint32_t fields, struct ist *phdr, int uri_idx = H2_PHDR_IDX_PATH; unsigned int flags = HTX_SL_F_NONE; struct htx_sl *sl; + size_t i; if ((fields & H2_PHDR_FND_METH) && isteq(phdr[H2_PHDR_IDX_METH], ist("CONNECT"))) { /* RFC 7540 #8.2.6 regarding CONNECT: ":scheme" and ":path" @@ -538,6 +539,13 @@ static struct htx_sl *h2_prepare_htx_reqline(uint32_t fields, struct ist *phdr, if (!phdr[uri_idx].len) goto fail; + /* make sure :path doesn't contain LWS nor CTL characters */ + for (i = 0; i < phdr[uri_idx].len; i++) { + unsigned char c = phdr[uri_idx].ptr[i]; + if (HTTP_IS_LWS(c) || HTTP_IS_CTL(c)) + htx->flags |= HTX_FL_PARSING_ERROR; + } + /* Set HTX start-line flags */ flags |= HTX_SL_F_VER_11; // V2 in fact flags |= HTX_SL_F_XFER_LEN; // xfer len always known with H2