From: Willy Tarreau <w@1wt.eu>
Date: Sun, 3 Dec 2017 19:28:13 +0000 (+0100)
Subject: BUG/MEDIUM: h2: do not accept upper case letters in request header names
X-Git-Tag: v1.9-dev1~612
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=637f64d56526ea87c935e75c3bd40a982a722f00;p=thirdparty%2Fhaproxy.git

BUG/MEDIUM: h2: do not accept upper case letters in request header names

This is explicitly forbidden by 7540#8.1.2, and may be used to bypass
some of the other filters, so they must be blocked early. It removes
another issue reported by h2spec.

To backport to 1.8.
---

diff --git a/src/h2.c b/src/h2.c
index 64f27fe20d..43ed7f3c8d 100644
--- a/src/h2.c
+++ b/src/h2.c
@@ -133,6 +133,7 @@ int h2_make_h1_request(struct http_hdr *list, char *out, int osize)
 	int ck, lck; /* cookie index and last cookie index */
 	int phdr;
 	int ret;
+	int i;
 
 	lck = ck = -1; // no cookie for now
 	fields = 0;
@@ -143,6 +144,11 @@ int h2_make_h1_request(struct http_hdr *list, char *out, int osize)
 		}
 		else {
 			/* this can be any type of header */
+			/* RFC7540#8.1.2: upper case not allowed in header field names */
+			for (i = 0; i < list[idx].n.len; i++)
+				if ((uint8_t)(list[idx].n.ptr[i] - 'A') < 'Z' - 'A')
+					goto fail;
+
 			phdr = h2_str_to_phdr(list[idx].n);
 		}