BUG/MINOR: h3: reject more chars from the :path pseudo header

This is the h3 version of this previous fix:

   BUG/MINOR: h2: reject more chars from the :path pseudo header

In addition to the current NUL/CR/LF, this will also reject all other
control chars, the space and '#' from the :path pseudo-header, to avoid
taking the '#' for a part of the path. It's still possible to fall back
to the previous behavior using "option accept-invalid-http-request".

Here the :path header value is scanned a second time to look for
forbidden chars because we don't know upfront if we're dealing with a
path header field or another one. This is no big deal anyway for now.

This should be progressively backported to 2.6, along with the
following commits it relies on (the same as for h2):

   REGTESTS: http-rules: add accept-invalid-http-request for normalize-uri tests
   REORG: http: move has_forbidden_char() from h2.c to http.h
   MINOR: ist: add new function ist_find_range() to find a character range
   MINOR: http: add new function http_path_has_forbidden_char()

diff --git a/src/h3.c b/src/h3.c
index 95a8303afebe722cabaf7114baf0c8b78b862868..17d1b2668c259117f15af26f5a816d9ebc36db12 100644 (file)
--- a/src/h3.c
+++ b/src/h3.c
@@ -419,6 +419,7 @@ static ssize_t h3_headers_to_htx(struct qcs *qcs, const struct buffer *buf,
        int hdr_idx, ret;
        int cookie = -1, last_cookie = -1, i;
        const char *ctl;
+       int relaxed = !!(h3c->qcc->proxy->options2 & PR_O2_REQBUG_OK);
 
        /* RFC 9114 4.1.2. Malformed Requests and Responses
         *
@@ -520,6 +521,20 @@ static ssize_t h3_headers_to_htx(struct qcs *qcs, const struct buffer *buf,
                                len = -1;
                                goto out;
                        }
+
+                       if (!relaxed) {
+                               /* we need to reject any control chars or '#' from the path,
+                                * unless option accept-invalid-http-request is set.
+                                */
+                               ctl = ist_find_range(list[hdr_idx].v, 0, '#');
+                               if (unlikely(ctl) && http_path_has_forbidden_char(list[hdr_idx].v, ctl)) {
+                                       TRACE_ERROR("forbidden character in ':path' pseudo-header", H3_EV_RX_FRAME|H3_EV_RX_HDR, qcs->qcc->conn, qcs);
+                                       h3s->err = H3_MESSAGE_ERROR;
+                                       len = -1;
+                                       goto out;
+                               }
+                       }
+
                        path = list[hdr_idx].v;
                }
                else if (isteq(list[hdr_idx].n, ist(":scheme"))) {