From: Amaury Denoyelle <adenoyelle@haproxy.com>
Date: Fri, 28 Jun 2024 08:50:19 +0000 (+0200)
Subject: BUG/MEDIUM: h3: ensure the ":scheme" pseudo header is totally valid
X-Git-Tag: v3.1-dev2~4
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a3bed52d1f84ba36af66be4317a5f746d498bdf4;p=thirdparty%2Fhaproxy.git

BUG/MEDIUM: h3: ensure the ":scheme" pseudo header is totally valid

Ensure pseudo-header scheme is only constitued of valid characters
according to RFC 9110. If an invalid value is found, the request is
rejected and stream is resetted.

It's the same as for previous commit "BUG/MEDIUM: h3: ensure the
":method" pseudo header is totally valid" except that this time it
applies to the ":scheme" pseudo header.

This must be backported up to 2.6.
---

diff --git a/src/h3.c b/src/h3.c
index fac9846d95..68e302dfaf 100644
--- a/src/h3.c
+++ b/src/h3.c
@@ -675,6 +675,15 @@ static ssize_t h3_headers_to_htx(struct qcs *qcs, const struct buffer *buf,
 				len = -1;
 				goto out;
 			}
+
+			if (!http_validate_scheme(list[hdr_idx].v)) {
+				TRACE_ERROR("invalid scheme pseudo-header", H3_EV_RX_FRAME|H3_EV_RX_HDR, qcs->qcc->conn, qcs);
+				h3s->err = H3_ERR_MESSAGE_ERROR;
+				qcc_report_glitch(h3c->qcc, 1);
+				len = -1;
+				goto out;
+			}
+
 			scheme = list[hdr_idx].v;
 		}
 		else if (isteq(list[hdr_idx].n, ist(":authority"))) {