BUG/MEDIUM: http: Properly reject non-HTTP/1.x protocols
This patch hardens the verification of the HTTP/1.x version line
(i.e. the first line within an HTTP/1.x request) to verify that
the protocol name within the version actually reads "HTTP".
Previously protocols that superficially resembled the wire-format
of HTTP/1.x and having a 4-letter acronym as the protocol name, such
as RTSP would pass this check.
This patch fixes GitHub issue #540, it must be backported to all
supported versions. The legacy, non-HTX parser is affected as well,
a fix must be created for it as well.
Note that such protocols can still be used when option
accept-invalid-http-request is set.
(cherry picked from commit 8f4116ea6589bcf02474622f0af4baee276e56b5)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
(cherry picked from commit 504342d34f764ce67c860551cebdbed9cca73c56)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
diff --git a/src/h1_htx.c b/src/h1_htx.c
index 6aa389e..b6a91f2 100644
--- a/src/h1_htx.c
+++ b/src/h1_htx.c
@@ -57,7 +57,7 @@
if (sl->rq.v.len != 8)
return 0;
- if (*(sl->rq.v.ptr + 4) != '/' ||
+ if (!istnmatch(sl->rq.v, ist("HTTP/"), 5) ||
!isdigit((unsigned char)*(sl->rq.v.ptr + 5)) ||
*(sl->rq.v.ptr + 6) != '.' ||
!isdigit((unsigned char)*(sl->rq.v.ptr + 7)))