BUG/MINOR: h1-htx: Be sure that H1 response version starts by "HTTP/"

When the response is parsed, we test the version to be sure it is
valid. However, the protocol was not tested. Now we take care that the
response version starts by "HTTP/", otherwise an error is returned.

Of course, it is still possible to by-pass this test with
"accept-unsafe-violations-in-http-response" option.

This patch could be backported to all stable versions.

diff --git a/src/h1_htx.c b/src/h1_htx.c
index 2fd6540ba56a839b9ccd787952542d7a5d679f36..fbd6353473114b4aa2ae4e3af56db7e86c097ca3 100644 (file)
--- a/src/h1_htx.c
+++ b/src/h1_htx.c
@@ -110,7 +110,7 @@ static int h1_process_res_vsn(struct h1m *h1m, union h1_sl *sl)
                if (sl->st.v.len != 8)
                        return 0;
 
-               if (*(sl->st.v.ptr + 4) != '/' ||
+               if (!istnmatch(sl->st.v, ist("HTTP/"), 5) ||
                    !isdigit((unsigned char)*(sl->st.v.ptr + 5)) ||
                    *(sl->st.v.ptr + 6) != '.' ||
                    !isdigit((unsigned char)*(sl->st.v.ptr + 7)))