BUG/MINIR: h1: Fix doc of 'accept-unsafe-...-request' about URI parsing

The description of tests performed on the URI in H1 when
'accept-unsafe-violations-in-http-request' option is wrong. It states that
only characters below 32 and 127 are blocked when this option is set,
suggesting that otherwise, when it is not set, all invalid characters in the
URI, according to the RFC3986, are blocked.

But in fact, it is not true. By default all character below 32 and above 127
are blocked. And when 'accept-unsafe-violations-in-http-request' option is
set, characters above 127 (excluded) are accepted. But characters in
(33..126) are never checked, independently of this option.

This patch should fix the issue #2906. It should be backported as far as
3.0. For older versions, the docuementation could also be clarified because
this part is not really clear.

Note the request URI validation is still under discution because invalid
characters in (33.126) are never checked and some users request a stricter
parsing.

diff --git a/doc/configuration.txt b/doc/configuration.txt
index c21bae9211656681788fde7be94f3911255e84ad..9c7b041a67c015fb163404e58cde28c8391cf896 100644 (file)
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -9077,11 +9077,14 @@ no option accept-unsafe-violations-in-http-request
 
     * In H1 only, NULL character in header value will be accepted;
 
-    * The list of characters allowed to appear in a URI is well defined by
-      RFC3986, and chars 0-31, 32 (space), 34 ('"'), 60 ('<'), 62 ('>'), 92
-      ('\'), 94 ('^'), 96 ('`'), 123 ('{'), 124 ('|'), 125 ('}'), 127 (delete)
-      and anything above are normally not allowed. But here, in H1 only,
-      HAProxy will only block a number of them (0..32, 127);
+    * In H1 only, characters above 127 in the URI will be accepted. The list of
+      characters allowed to appear in a URI is well defined by RFC3986, and
+      chars 0-31, 32 (space), 34 ('"'), 60 ('<'), 62 ('>'), 92 ('\'), 94 ('^'),
+      96 ('`'), 123 ('{'), 124 ('|'), 125 ('}'), 127 (delete) and anything
+      above are normally not allowed. In H1, all character between (0..32) and
+      127 will always be blocked. All characters above 127 (excluded) will also
+      be blocked, except when this option is enabled. Other characters
+      (33..126) will not be checked at all.
 
     * In H1 and H2, URLs containing fragment references ('#' after the path)
       will be accepted;