From: daum3ns <23260410+daum3ns@users.noreply.github.com>
Date: Tue, 4 Mar 2025 10:54:08 +0000 (+0100)
Subject: tls_validate_record_header(): Check for all HTTP methods
X-Git-Tag: openssl-3.5.0-alpha1~15
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=30fbc68dd45107951f6c15ff0f0f5215202d6d84;p=thirdparty%2Fopenssl.git

tls_validate_record_header(): Check for all HTTP methods

The change checks for all HTTP methods in ssl_record, not only GET, POST,
PUT and HEAD. (additionally PATCH, DELETE, OPTIONS and TRACE)

CLA: trivial

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26968)
---

diff --git a/ssl/record/methods/tlsany_meth.c b/ssl/record/methods/tlsany_meth.c
index 3f73f9ebdd8..38d74807140 100644
--- a/ssl/record/methods/tlsany_meth.c
+++ b/ssl/record/methods/tlsany_meth.c
@@ -67,6 +67,10 @@ static int tls_validate_record_header(OSSL_RECORD_LAYER *rl, TLS_RL_RECORD *rec)
                     if (HAS_PREFIX((char *)p, "GET ") ||
                         HAS_PREFIX((char *)p, "POST ") ||
                         HAS_PREFIX((char *)p, "HEAD ") ||
+                        HAS_PREFIX((char *)p, "PATCH") ||
+                        HAS_PREFIX((char *)p, "OPTIO") ||
+                        HAS_PREFIX((char *)p, "DELET") ||
+                        HAS_PREFIX((char *)p, "TRACE") ||
                         HAS_PREFIX((char *)p, "PUT ")) {
                         RLAYERfatal(rl, SSL_AD_NO_ALERT, SSL_R_HTTP_REQUEST);
                         return 0;