From 1ba30167a029883badfb8fa8dd0fe0239d9a9237 Mon Sep 17 00:00:00 2001 From: Willy Tarreau Date: Tue, 24 May 2022 15:34:26 +0200 Subject: [PATCH] MEDIUM: h1: enlarge the scope of accepted version chars with accept-invalid-http-request We used to support both RTSP and HTTP protocol version names with and without accept-invalid-http-request, but since this is based on the characters themselves, any protocol made of chars {0-9/.HPRST} was possible and not others. Now that such non-standard protocols are restricted to accept-invalid-http-request, there's no reason for not allowing other letters. With this patch, characters {0-9./A-Z} are permitted when the option is set. --- doc/configuration.txt | 4 ++-- src/http.c | 42 +++++++++++++++++++++--------------------- 2 files changed, 23 insertions(+), 23 deletions(-) diff --git a/doc/configuration.txt b/doc/configuration.txt index e2191c2dd..d9fd06dbd 100644 --- a/doc/configuration.txt +++ b/doc/configuration.txt @@ -8372,8 +8372,8 @@ no option accept-invalid-http-request not allowed at all. HAProxy always blocks a number of them (0..32, 127). The remaining ones are blocked by default unless this option is enabled. This option also relaxes the test on the HTTP version, it allows HTTP/0.9 requests - to pass through (no version specified) and multiple digits for both the major - and the minor version. + to pass through (no version specified), as well as different protocol names + (e.g. RTSP), and multiple digits for both the major and the minor version. This option should never be enabled by default as it hides application bugs and open security breaches. It should only be deployed after a problem has diff --git a/src/http.c b/src/http.c index 83774516e..bc0a8085f 100644 --- a/src/http.c +++ b/src/http.c @@ -90,32 +90,32 @@ const unsigned char http_char_classes[256] = { ['>'] = HTTP_FLG_SEP, ['?'] = HTTP_FLG_SEP, ['@'] = HTTP_FLG_SEP, - ['A'] = HTTP_FLG_TOK, - ['B'] = HTTP_FLG_TOK, - ['C'] = HTTP_FLG_TOK, - ['D'] = HTTP_FLG_TOK, - ['E'] = HTTP_FLG_TOK, - ['F'] = HTTP_FLG_TOK, - ['G'] = HTTP_FLG_TOK, + ['A'] = HTTP_FLG_TOK | HTTP_FLG_VER, + ['B'] = HTTP_FLG_TOK | HTTP_FLG_VER, + ['C'] = HTTP_FLG_TOK | HTTP_FLG_VER, + ['D'] = HTTP_FLG_TOK | HTTP_FLG_VER, + ['E'] = HTTP_FLG_TOK | HTTP_FLG_VER, + ['F'] = HTTP_FLG_TOK | HTTP_FLG_VER, + ['G'] = HTTP_FLG_TOK | HTTP_FLG_VER, ['H'] = HTTP_FLG_TOK | HTTP_FLG_VER, - ['I'] = HTTP_FLG_TOK, - ['J'] = HTTP_FLG_TOK, - ['K'] = HTTP_FLG_TOK, - ['L'] = HTTP_FLG_TOK, - ['M'] = HTTP_FLG_TOK, - ['N'] = HTTP_FLG_TOK, - ['O'] = HTTP_FLG_TOK, + ['I'] = HTTP_FLG_TOK | HTTP_FLG_VER, + ['J'] = HTTP_FLG_TOK | HTTP_FLG_VER, + ['K'] = HTTP_FLG_TOK | HTTP_FLG_VER, + ['L'] = HTTP_FLG_TOK | HTTP_FLG_VER, + ['M'] = HTTP_FLG_TOK | HTTP_FLG_VER, + ['N'] = HTTP_FLG_TOK | HTTP_FLG_VER, + ['O'] = HTTP_FLG_TOK | HTTP_FLG_VER, ['P'] = HTTP_FLG_TOK | HTTP_FLG_VER, - ['Q'] = HTTP_FLG_TOK, + ['Q'] = HTTP_FLG_TOK | HTTP_FLG_VER, ['R'] = HTTP_FLG_TOK | HTTP_FLG_VER, ['S'] = HTTP_FLG_TOK | HTTP_FLG_VER, ['T'] = HTTP_FLG_TOK | HTTP_FLG_VER, - ['U'] = HTTP_FLG_TOK, - ['V'] = HTTP_FLG_TOK, - ['W'] = HTTP_FLG_TOK, - ['X'] = HTTP_FLG_TOK, - ['Y'] = HTTP_FLG_TOK, - ['Z'] = HTTP_FLG_TOK, + ['U'] = HTTP_FLG_TOK | HTTP_FLG_VER, + ['V'] = HTTP_FLG_TOK | HTTP_FLG_VER, + ['W'] = HTTP_FLG_TOK | HTTP_FLG_VER, + ['X'] = HTTP_FLG_TOK | HTTP_FLG_VER, + ['Y'] = HTTP_FLG_TOK | HTTP_FLG_VER, + ['Z'] = HTTP_FLG_TOK | HTTP_FLG_VER, ['['] = HTTP_FLG_SEP, [ 92] = HTTP_FLG_SEP, [']'] = HTTP_FLG_SEP,