BUG/MEDIUM: http-ana: fix crash or wrong header deletion by http-restrict-req-hdr-names
When using `option http-restrict-req-hdr-names delete`, HAproxy may
crash or delete wrong header after receiving request containing multiple
forbidden characters in single header name; exact behavior depends on
number of request headers, number of forbidden characters and position
of header containing them.
This patch fixes GitHub issue #1822.
Must be backported as far as 2.2 (buggy feature got included in 2.2.25,
2.4.18 and 2.5.8).
(cherry picked from commit 4b85a963be4bfc5aab9295ec627b332662f9e3b3)
Signed-off-by: Willy Tarreau <w@1wt.eu>
(cherry picked from commit 833b224e564992847382448225eae1b6654bef70)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
(cherry picked from commit 35fb88e93d10d9a37e3dc3b8c01951690fccacb1)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
diff --git a/src/http_ana.c b/src/http_ana.c
index 4491ea1..e92c606 100644
--- a/src/http_ana.c
+++ b/src/http_ana.c
@@ -2655,17 +2655,21 @@
if (type == HTX_BLK_HDR) {
struct ist n = htx_get_blk_name(htx, blk);
- int i;
+ int i, end = istlen(n);
- for (i = 0; i < istlen(n); i++) {
+ for (i = 0; i < end; i++) {
if (!isalnum((unsigned char)n.ptr[i]) && n.ptr[i] != '-') {
- /* Block the request or remove the header */
- if (px->options2 & PR_O2_RSTRICT_REQ_HDR_NAMES_BLK)
- goto block;
- blk = htx_remove_blk(htx, blk);
- continue;
+ break;
}
}
+
+ if (i < end) {
+ /* Disallowed character found - block the request or remove the header */
+ if (px->options2 & PR_O2_RSTRICT_REQ_HDR_NAMES_BLK)
+ goto block;
+ blk = htx_remove_blk(htx, blk);
+ continue;
+ }
}
if (type == HTX_BLK_EOH)
break;