MEDIUM: h1: enlarge the scope of accepted version chars with accept-invalid-http-request
We used to support both RTSP and HTTP protocol version names with and
without accept-invalid-http-request, but since this is based on the
characters themselves, any protocol made of chars {0-9/.HPRST} was
possible and not others. Now that such non-standard protocols are
restricted to accept-invalid-http-request, there's no reason for not
allowing other letters. With this patch, characters {0-9./A-Z} are
permitted when the option is set.
This commit is contained in:
Willy Tarreau
parent
8f4116ea65
commit
1ba30167a0
@ -8372,8 +8372,8 @@ no option accept-invalid-http-request
|
||||
not allowed at all. HAProxy always blocks a number of them (0..32, 127). The
|
||||
remaining ones are blocked by default unless this option is enabled. This
|
||||
option also relaxes the test on the HTTP version, it allows HTTP/0.9 requests
|
||||
to pass through (no version specified) and multiple digits for both the major
|
||||
and the minor version.
|
||||
to pass through (no version specified), as well as different protocol names
|
||||
(e.g. RTSP), and multiple digits for both the major and the minor version.
|
||||
|
||||
This option should never be enabled by default as it hides application bugs
|
||||
and open security breaches. It should only be deployed after a problem has
|
||||
|
||||
42
src/http.c
42
src/http.c
@ -90,32 +90,32 @@ const unsigned char http_char_classes[256] = {
|
||||
['>'] = HTTP_FLG_SEP,
|
||||
['?'] = HTTP_FLG_SEP,
|
||||
['@'] = HTTP_FLG_SEP,
|
||||
['A'] = HTTP_FLG_TOK,
|
||||
['B'] = HTTP_FLG_TOK,
|
||||
['C'] = HTTP_FLG_TOK,
|
||||
['D'] = HTTP_FLG_TOK,
|
||||
['E'] = HTTP_FLG_TOK,
|
||||
['F'] = HTTP_FLG_TOK,
|
||||
['G'] = HTTP_FLG_TOK,
|
||||
['A'] = HTTP_FLG_TOK | HTTP_FLG_VER,
|
||||
['B'] = HTTP_FLG_TOK | HTTP_FLG_VER,
|
||||
['C'] = HTTP_FLG_TOK | HTTP_FLG_VER,
|
||||
['D'] = HTTP_FLG_TOK | HTTP_FLG_VER,
|
||||
['E'] = HTTP_FLG_TOK | HTTP_FLG_VER,
|
||||
['F'] = HTTP_FLG_TOK | HTTP_FLG_VER,
|
||||
['G'] = HTTP_FLG_TOK | HTTP_FLG_VER,
|
||||
['H'] = HTTP_FLG_TOK | HTTP_FLG_VER,
|
||||
['I'] = HTTP_FLG_TOK,
|
||||
['J'] = HTTP_FLG_TOK,
|
||||
['K'] = HTTP_FLG_TOK,
|
||||
['L'] = HTTP_FLG_TOK,
|
||||
['M'] = HTTP_FLG_TOK,
|
||||
['N'] = HTTP_FLG_TOK,
|
||||
['O'] = HTTP_FLG_TOK,
|
||||
['I'] = HTTP_FLG_TOK | HTTP_FLG_VER,
|
||||
['J'] = HTTP_FLG_TOK | HTTP_FLG_VER,
|
||||
['K'] = HTTP_FLG_TOK | HTTP_FLG_VER,
|
||||
['L'] = HTTP_FLG_TOK | HTTP_FLG_VER,
|
||||
['M'] = HTTP_FLG_TOK | HTTP_FLG_VER,
|
||||
['N'] = HTTP_FLG_TOK | HTTP_FLG_VER,
|
||||
['O'] = HTTP_FLG_TOK | HTTP_FLG_VER,
|
||||
['P'] = HTTP_FLG_TOK | HTTP_FLG_VER,
|
||||
['Q'] = HTTP_FLG_TOK,
|
||||
['Q'] = HTTP_FLG_TOK | HTTP_FLG_VER,
|
||||
['R'] = HTTP_FLG_TOK | HTTP_FLG_VER,
|
||||
['S'] = HTTP_FLG_TOK | HTTP_FLG_VER,
|
||||
['T'] = HTTP_FLG_TOK | HTTP_FLG_VER,
|
||||
['U'] = HTTP_FLG_TOK,
|
||||
['V'] = HTTP_FLG_TOK,
|
||||
['W'] = HTTP_FLG_TOK,
|
||||
['X'] = HTTP_FLG_TOK,
|
||||
['Y'] = HTTP_FLG_TOK,
|
||||
['Z'] = HTTP_FLG_TOK,
|
||||
['U'] = HTTP_FLG_TOK | HTTP_FLG_VER,
|
||||
['V'] = HTTP_FLG_TOK | HTTP_FLG_VER,
|
||||
['W'] = HTTP_FLG_TOK | HTTP_FLG_VER,
|
||||
['X'] = HTTP_FLG_TOK | HTTP_FLG_VER,
|
||||
['Y'] = HTTP_FLG_TOK | HTTP_FLG_VER,
|
||||
['Z'] = HTTP_FLG_TOK | HTTP_FLG_VER,
|
||||
['['] = HTTP_FLG_SEP,
|
||||
[ 92] = HTTP_FLG_SEP,
|
||||
[']'] = HTTP_FLG_SEP,
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user