From da4a4976d79f47e57526c656c4f8a3100e2d34a8 Mon Sep 17 00:00:00 2001 From: Willy Tarreau Date: Fri, 15 May 2026 05:14:45 +0000 Subject: [PATCH] BUG/MINOR: backend: correct parameter value validation in get_server_ph_post() In the inner while loop that validates each character of a POST parameter value, the code checks *p via HTTP_IS_TOKEN() and HTTP_IS_LWS() instead of *end, while the loop condition only advances "end", so only the first character of each value is validated. This means spaces or binary data embedded in parameter values after the first character goes undetected. Fix by replacing both references to *p with *end to properly scan through all characters as intended. This bug was introduced in 1.5-dev20 by commit 98634f0c7 ("MEDIUM: backend: Enhance hash-type directive with an algorithm options") so the fix must be backported to all versions. --- src/backend.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/backend.c b/src/backend.c index 39e304df9..2add8cc8b 100644 --- a/src/backend.c +++ b/src/backend.c @@ -370,11 +370,11 @@ struct server *get_server_ph_post(struct stream *s, const struct server *avoid) len -= plen + 1; while (len && *end != '&') { - if (unlikely(!HTTP_IS_TOKEN(*p))) { + if (unlikely(!HTTP_IS_TOKEN(*end))) { /* if in a POST, body must be URI encoded or it's not a URI. * Do not interpret any possible binary data as a parameter. */ - if (likely(HTTP_IS_LWS(*p))) /* eol, uncertain uri len */ + if (likely(HTTP_IS_LWS(*end))) /* eol, uncertain uri len */ break; return NULL; /* oh, no; this is not uri-encoded. * This body does not contain parameters. -- 2.47.3