From: Willy Tarreau <w@1wt.eu>
Date: Fri, 1 May 2015 11:47:08 +0000 (+0200)
Subject: MEDIUM: http: disable support for HTTP/0.9 by default
X-Git-Tag: v1.6-dev2~163
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=13317669d51d830b76055016c187bbc20bbd8398;p=thirdparty%2Fhaproxy.git

MEDIUM: http: disable support for HTTP/0.9 by default

There's not much reason for continuing to accept HTTP/0.9 requests
nowadays except for manual testing. Now we disable support for these
by default, unless option accept-invalid-http-request is specified,
in which case they continue to be upgraded to 1.0.
---

diff --git a/doc/configuration.txt b/doc/configuration.txt
index 67286440b2..a21e0fc84f 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -4122,8 +4122,9 @@ no option accept-invalid-http-request
   ('`'), 123 ('{'), 124 ('|'), 125 ('}'), 127 (delete) and anything above are
   not allowed at all. Haproxy always blocks a number of them (0..32, 127). The
   remaining ones are blocked by default unless this option is enabled. This
-  option also relaxes the test on the HTTP version format, it allows multiple
-  digits for both the major and the minor version.
+  option also relaxes the test on the HTTP version, it allows HTTP/0.9 requests
+  to pass through (no version specified) and multiple digits for both the major
+  and the minor version.
 
   This option should never be enabled by default as it hides application bugs
   and open security breaches. It should only be deployed after a problem has
diff --git a/src/proto_http.c b/src/proto_http.c
index a0c9e1ce60..606aebde06 100644
--- a/src/proto_http.c
+++ b/src/proto_http.c
@@ -2939,10 +2939,6 @@ int http_wait_for_request(struct stream *s, struct channel *req, int an_bit)
 		}
 	}
 
-	/* 4. We may have to convert HTTP/0.9 requests to HTTP/1.0 */
-	if (unlikely(msg->sl.rq.v_l == 0) && !http_upgrade_v09_to_v10(txn))
-		goto return_bad_req;
-
 	/* RFC7230#2.6 has enforced the format of the HTTP version string to be
 	 * exactly one digit "." one digit. This check may be disabled using
 	 * option accept-invalid-http-request.
@@ -2961,6 +2957,11 @@ int http_wait_for_request(struct stream *s, struct channel *req, int an_bit)
 			goto return_bad_req;
 		}
 	}
+	else {
+		/* 4. We may have to convert HTTP/0.9 requests to HTTP/1.0 */
+		if (unlikely(msg->sl.rq.v_l == 0) && !http_upgrade_v09_to_v10(txn))
+			goto return_bad_req;
+	}
 
 	/* ... and check if the request is HTTP/1.1 or above */
 	if ((msg->sl.rq.v_l == 8) &&