From: Christopher Faulet <cfaulet@haproxy.com>
Date: Tue, 14 May 2024 13:06:48 +0000 (+0200)
Subject: BUG/MEDIUM: h1: Reject CONNECT request if the target has a scheme
X-Git-Tag: v3.0-dev12~36
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=d3d9d83f036871c1bf76399e8ccacffaf05d5943;p=thirdparty%2Fhaproxy.git

BUG/MEDIUM: h1: Reject CONNECT request if the target has a scheme

The target of a CONNECT request must not have scheme. However, this was not
checked during the message parsing. It is now rejected.

This patch may be backported as far as 2.4.
---

diff --git a/src/h1.c b/src/h1.c
index a1393ca00b..b20327c10b 100644
--- a/src/h1.c
+++ b/src/h1.c
@@ -183,11 +183,11 @@ int h1_parse_xfer_enc_header(struct h1m *h1m, struct ist value)
  * is hast header, its value is normalized. 0 is returned on success, -1 if the
  * authority is invalid and -2 if the host is invalid.
  */
-static int h1_validate_connect_authority(struct ist authority, struct ist *host_hdr)
+static int h1_validate_connect_authority(struct ist scheme, struct ist authority, struct ist *host_hdr)
 {
 	struct ist uri_host, uri_port, host, host_port;
 
-	if (!isttest(authority))
+	if (isttest(scheme) || !isttest(authority))
 		goto invalid_authority;
 	uri_host = authority;
 	uri_port = http_get_host_port(authority);
@@ -1112,7 +1112,7 @@ int h1_headers_to_hdr_list(char *start, const char *stop,
 			if (sl.rq.meth == HTTP_METH_CONNECT) {
 				struct ist *host = ((host_idx != -1) ? &hdr[host_idx].v : NULL);
 
-				ret = h1_validate_connect_authority(authority, host);
+				ret = h1_validate_connect_authority(scheme, authority, host);
 				if (ret < 0) {
 					if (h1m->err_pos < -1) {
 						state = H1_MSG_LAST_LF;