From: Amaury Denoyelle Date: Wed, 16 Apr 2025 09:17:20 +0000 (+0200) Subject: BUG/MINOR: h3: reject invalid :path in request X-Git-Tag: v3.2-dev11~43 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=fc28fe7191701251115e817a7c4a673b88e49f65;p=thirdparty%2Fhaproxy.git BUG/MINOR: h3: reject invalid :path in request RFC 9114 specifies some requirements for :path pseudo-header when using http or https scheme. This commit enforces this by rejecting a request if needed. Thus, path cannot be empty, and it must either start with a '/' character or contains only '*'. This must be backported up to 2.6. --- diff --git a/src/h3.c b/src/h3.c index 3f6f85710..a66a48a44 100644 --- a/src/h3.c +++ b/src/h3.c @@ -733,6 +733,25 @@ static ssize_t h3_headers_to_htx(struct qcs *qcs, const struct buffer *buf, flags |= HTX_SL_F_VER_11; flags |= HTX_SL_F_XFER_LEN; + /* RFC 9114 4.3.1. Request Pseudo-Header Fields + * + * This pseudo-header field MUST NOT be empty for "http" or "https" + * URIs; "http" or "https" URIs that do not contain a path component + * MUST include a value of / (ASCII 0x2f). An OPTIONS request that + * does not include a path component includes the value * (ASCII + * 0x2a) for the :path pseudo-header field; see Section 7.1 of + * [HTTP]. + */ + if ((isteqi(scheme, ist("http")) || isteqi(scheme, ist("https"))) && + (!istlen(path) || + (istptr(path)[0] != '/' && !isteq(path, ist("*"))))) { + TRACE_ERROR("invalid ':path' pseudo-header", H3_EV_RX_FRAME|H3_EV_RX_HDR, qcs->qcc->conn, qcs); + h3s->err = H3_ERR_MESSAGE_ERROR; + qcc_report_glitch(h3c->qcc, 1); + len = -1; + goto out; + } + sl = htx_add_stline(htx, HTX_BLK_REQ_SL, flags, meth, path, ist("HTTP/3.0")); if (!sl) { len = -1;