From: Willy Tarreau Date: Tue, 24 May 2022 13:34:26 +0000 (+0200) Subject: MEDIUM: h1: enlarge the scope of accepted version chars with accept-invalid-http... X-Git-Tag: v2.6-dev12~141 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1ba30167a029883badfb8fa8dd0fe0239d9a9237;p=thirdparty%2Fhaproxy.git MEDIUM: h1: enlarge the scope of accepted version chars with accept-invalid-http-request We used to support both RTSP and HTTP protocol version names with and without accept-invalid-http-request, but since this is based on the characters themselves, any protocol made of chars {0-9/.HPRST} was possible and not others. Now that such non-standard protocols are restricted to accept-invalid-http-request, there's no reason for not allowing other letters. With this patch, characters {0-9./A-Z} are permitted when the option is set. --- diff --git a/doc/configuration.txt b/doc/configuration.txt index e2191c2dda..d9fd06dbd1 100644 --- a/doc/configuration.txt +++ b/doc/configuration.txt @@ -8372,8 +8372,8 @@ no option accept-invalid-http-request not allowed at all. HAProxy always blocks a number of them (0..32, 127). The remaining ones are blocked by default unless this option is enabled. This option also relaxes the test on the HTTP version, it allows HTTP/0.9 requests - to pass through (no version specified) and multiple digits for both the major - and the minor version. + to pass through (no version specified), as well as different protocol names + (e.g. RTSP), and multiple digits for both the major and the minor version. This option should never be enabled by default as it hides application bugs and open security breaches. It should only be deployed after a problem has diff --git a/src/http.c b/src/http.c index 83774516e0..bc0a8085f2 100644 --- a/src/http.c +++ b/src/http.c @@ -90,32 +90,32 @@ const unsigned char http_char_classes[256] = { ['>'] = HTTP_FLG_SEP, ['?'] = HTTP_FLG_SEP, ['@'] = HTTP_FLG_SEP, - ['A'] = HTTP_FLG_TOK, - ['B'] = HTTP_FLG_TOK, - ['C'] = HTTP_FLG_TOK, - ['D'] = HTTP_FLG_TOK, - ['E'] = HTTP_FLG_TOK, - ['F'] = HTTP_FLG_TOK, - ['G'] = HTTP_FLG_TOK, + ['A'] = HTTP_FLG_TOK | HTTP_FLG_VER, + ['B'] = HTTP_FLG_TOK | HTTP_FLG_VER, + ['C'] = HTTP_FLG_TOK | HTTP_FLG_VER, + ['D'] = HTTP_FLG_TOK | HTTP_FLG_VER, + ['E'] = HTTP_FLG_TOK | HTTP_FLG_VER, + ['F'] = HTTP_FLG_TOK | HTTP_FLG_VER, + ['G'] = HTTP_FLG_TOK | HTTP_FLG_VER, ['H'] = HTTP_FLG_TOK | HTTP_FLG_VER, - ['I'] = HTTP_FLG_TOK, - ['J'] = HTTP_FLG_TOK, - ['K'] = HTTP_FLG_TOK, - ['L'] = HTTP_FLG_TOK, - ['M'] = HTTP_FLG_TOK, - ['N'] = HTTP_FLG_TOK, - ['O'] = HTTP_FLG_TOK, + ['I'] = HTTP_FLG_TOK | HTTP_FLG_VER, + ['J'] = HTTP_FLG_TOK | HTTP_FLG_VER, + ['K'] = HTTP_FLG_TOK | HTTP_FLG_VER, + ['L'] = HTTP_FLG_TOK | HTTP_FLG_VER, + ['M'] = HTTP_FLG_TOK | HTTP_FLG_VER, + ['N'] = HTTP_FLG_TOK | HTTP_FLG_VER, + ['O'] = HTTP_FLG_TOK | HTTP_FLG_VER, ['P'] = HTTP_FLG_TOK | HTTP_FLG_VER, - ['Q'] = HTTP_FLG_TOK, + ['Q'] = HTTP_FLG_TOK | HTTP_FLG_VER, ['R'] = HTTP_FLG_TOK | HTTP_FLG_VER, ['S'] = HTTP_FLG_TOK | HTTP_FLG_VER, ['T'] = HTTP_FLG_TOK | HTTP_FLG_VER, - ['U'] = HTTP_FLG_TOK, - ['V'] = HTTP_FLG_TOK, - ['W'] = HTTP_FLG_TOK, - ['X'] = HTTP_FLG_TOK, - ['Y'] = HTTP_FLG_TOK, - ['Z'] = HTTP_FLG_TOK, + ['U'] = HTTP_FLG_TOK | HTTP_FLG_VER, + ['V'] = HTTP_FLG_TOK | HTTP_FLG_VER, + ['W'] = HTTP_FLG_TOK | HTTP_FLG_VER, + ['X'] = HTTP_FLG_TOK | HTTP_FLG_VER, + ['Y'] = HTTP_FLG_TOK | HTTP_FLG_VER, + ['Z'] = HTTP_FLG_TOK | HTTP_FLG_VER, ['['] = HTTP_FLG_SEP, [ 92] = HTTP_FLG_SEP, [']'] = HTTP_FLG_SEP,