From 916597903cc0e1022db33e01dd832aee76218b99 Mon Sep 17 00:00:00 2001
From: Willy Tarreau <w@1wt.eu>
Date: Fri, 10 Nov 2017 19:38:10 +0100
Subject: [PATCH] MEDIUM: http: always reject the "PRI" method

This method was reserved for the HTTP/2 connection preface, must never
be used and must be rejected. In normal situations it doesn't happen,
but it may be visible if a TCP frontend has alpn "h2" enabled, and
forwards to an HTTP backend which tries to parse the request. Before
this patch it would pass the wrong request to the backend server, now
it properly returns 400 bad req.

This patch should probably be backported to stable versions.
---
 src/proto_http.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/proto_http.c b/src/proto_http.c
index 9909eedc36..88e2f06ebb 100644
--- a/src/proto_http.c
+++ b/src/proto_http.c
@@ -1899,6 +1899,12 @@ int http_wait_for_request(struct stream *s, struct channel *req, int an_bit)
 	/* we can make use of server redirect on GET and HEAD */
 	if (txn->meth == HTTP_METH_GET || txn->meth == HTTP_METH_HEAD)
 		s->flags |= SF_REDIRECTABLE;
+	else if (txn->meth == HTTP_METH_OTHER &&
+		 msg->sl.rq.m_l == 3 && memcmp(req->buf->p, "PRI", 3) == 0) {
+		/* PRI is reserved for the HTTP/2 preface */
+		msg->err_pos = 0;
+		goto return_bad_req;
+	}
 
 	/*
 	 * 2: check if the URI matches the monitor_uri.
-- 
2.47.3