Gitiles
Code Review Sign In
git01.mediatek.com / haproxy / 1ba30167a029883badfb8fa8dd0fe0239d9a9237^! / .
commit1ba30167a029883badfb8fa8dd0fe0239d9a9237[log] [tgz]
authorWilly Tarreau <w@1wt.eu>Tue May 24 15:34:26 2022 +0200
committerWilly Tarreau <w@1wt.eu>Tue May 24 15:38:54 2022 +0200
tree06d09c25f0a375bde88cb49783cad93c4dd0189a
parent8f4116ea6589bcf02474622f0af4baee276e56b5 [diff]
MEDIUM: h1: enlarge the scope of accepted version chars with accept-invalid-http-request

We used to support both RTSP and HTTP protocol version names with and
without accept-invalid-http-request, but since this is based on the
characters themselves, any protocol made of chars {0-9/.HPRST} was
possible and not others. Now that such non-standard protocols are
restricted to accept-invalid-http-request, there's no reason for not
allowing other letters. With this patch, characters {0-9./A-Z} are
permitted when the option is set.

diff --git a/doc/configuration.txt b/doc/configuration.txt
index e2191c2..d9fd06d 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt

@@ -8372,8 +8372,8 @@
   not allowed at all. HAProxy always blocks a number of them (0..32, 127). The
   remaining ones are blocked by default unless this option is enabled. This
   option also relaxes the test on the HTTP version, it allows HTTP/0.9 requests
-  to pass through (no version specified) and multiple digits for both the major
-  and the minor version.
+  to pass through (no version specified), as well as different protocol names
+  (e.g. RTSP), and multiple digits for both the major and the minor version.
 
   This option should never be enabled by default as it hides application bugs
   and open security breaches. It should only be deployed after a problem has

diff --git a/src/http.c b/src/http.c
index 8377451..bc0a808 100644
--- a/src/http.c
+++ b/src/http.c

@@ -90,32 +90,32 @@
 	['>'] = HTTP_FLG_SEP,
 	['?'] = HTTP_FLG_SEP,
 	['@'] = HTTP_FLG_SEP,
-	['A'] = HTTP_FLG_TOK,
-	['B'] = HTTP_FLG_TOK,
-	['C'] = HTTP_FLG_TOK,
-	['D'] = HTTP_FLG_TOK,
-	['E'] = HTTP_FLG_TOK,
-	['F'] = HTTP_FLG_TOK,
-	['G'] = HTTP_FLG_TOK,
+	['A'] = HTTP_FLG_TOK | HTTP_FLG_VER,
+	['B'] = HTTP_FLG_TOK | HTTP_FLG_VER,
+	['C'] = HTTP_FLG_TOK | HTTP_FLG_VER,
+	['D'] = HTTP_FLG_TOK | HTTP_FLG_VER,
+	['E'] = HTTP_FLG_TOK | HTTP_FLG_VER,
+	['F'] = HTTP_FLG_TOK | HTTP_FLG_VER,
+	['G'] = HTTP_FLG_TOK | HTTP_FLG_VER,
 	['H'] = HTTP_FLG_TOK | HTTP_FLG_VER,
-	['I'] = HTTP_FLG_TOK,
-	['J'] = HTTP_FLG_TOK,
-	['K'] = HTTP_FLG_TOK,
-	['L'] = HTTP_FLG_TOK,
-	['M'] = HTTP_FLG_TOK,
-	['N'] = HTTP_FLG_TOK,
-	['O'] = HTTP_FLG_TOK,
+	['I'] = HTTP_FLG_TOK | HTTP_FLG_VER,
+	['J'] = HTTP_FLG_TOK | HTTP_FLG_VER,
+	['K'] = HTTP_FLG_TOK | HTTP_FLG_VER,
+	['L'] = HTTP_FLG_TOK | HTTP_FLG_VER,
+	['M'] = HTTP_FLG_TOK | HTTP_FLG_VER,
+	['N'] = HTTP_FLG_TOK | HTTP_FLG_VER,
+	['O'] = HTTP_FLG_TOK | HTTP_FLG_VER,
 	['P'] = HTTP_FLG_TOK | HTTP_FLG_VER,
-	['Q'] = HTTP_FLG_TOK,
+	['Q'] = HTTP_FLG_TOK | HTTP_FLG_VER,
 	['R'] = HTTP_FLG_TOK | HTTP_FLG_VER,
 	['S'] = HTTP_FLG_TOK | HTTP_FLG_VER,
 	['T'] = HTTP_FLG_TOK | HTTP_FLG_VER,
-	['U'] = HTTP_FLG_TOK,
-	['V'] = HTTP_FLG_TOK,
-	['W'] = HTTP_FLG_TOK,
-	['X'] = HTTP_FLG_TOK,
-	['Y'] = HTTP_FLG_TOK,
-	['Z'] = HTTP_FLG_TOK,
+	['U'] = HTTP_FLG_TOK | HTTP_FLG_VER,
+	['V'] = HTTP_FLG_TOK | HTTP_FLG_VER,
+	['W'] = HTTP_FLG_TOK | HTTP_FLG_VER,
+	['X'] = HTTP_FLG_TOK | HTTP_FLG_VER,
+	['Y'] = HTTP_FLG_TOK | HTTP_FLG_VER,
+	['Z'] = HTTP_FLG_TOK | HTTP_FLG_VER,
 	['['] = HTTP_FLG_SEP,
 	[ 92] = HTTP_FLG_SEP,
 	[']'] = HTTP_FLG_SEP,