From: Christopher Faulet <cfaulet@haproxy.com>
Date: Wed, 25 Feb 2026 15:00:39 +0000 (+0100)
Subject: BUG/MINOR: h1-htx: Be sure that H1 response version starts by "HTTP/"
X-Git-Tag: v3.4-dev6~21
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=7a474855b4e676e8f37ee7365606e93cff9b9933;p=thirdparty%2Fhaproxy.git

BUG/MINOR: h1-htx: Be sure that H1 response version starts by "HTTP/"

When the response is parsed, we test the version to be sure it is
valid. However, the protocol was not tested. Now we take care that the
response version starts by "HTTP/", otherwise an error is returned.

Of course, it is still possible to by-pass this test with
"accept-unsafe-violations-in-http-response" option.

This patch could be backported to all stable versions.
---

diff --git a/src/h1_htx.c b/src/h1_htx.c
index 2fd6540ba..fbd635347 100644
--- a/src/h1_htx.c
+++ b/src/h1_htx.c
@@ -110,7 +110,7 @@ static int h1_process_res_vsn(struct h1m *h1m, union h1_sl *sl)
 		if (sl->st.v.len != 8)
 			return 0;
 
-		if (*(sl->st.v.ptr + 4) != '/' ||
+		if (!istnmatch(sl->st.v, ist("HTTP/"), 5) ||
 		    !isdigit((unsigned char)*(sl->st.v.ptr + 5)) ||
 		    *(sl->st.v.ptr + 6) != '.' ||
 		    !isdigit((unsigned char)*(sl->st.v.ptr + 7)))