commit 56ab17d34a32d9c15558c2c2d17b743e6d679cbd
author Amaury Denoyelle <adenoyelle@haproxy.com> Fri Jun 28 10:50:19 2024 +0200
committer Christopher Faulet <cfaulet@haproxy.com> Wed Jul 03 10:29:11 2024 +0200
tree 21e9cc5027bd39ffa2ff27afe9e3fa28c28c7fdc
parent 94d305eaffc83dff3f59f5c2a3fbeb4710efa39a

BUG/MEDIUM: h3: ensure the ":scheme" pseudo header is totally valid

Ensure pseudo-header scheme is only constitued of valid characters
according to RFC 9110. If an invalid value is found, the request is
rejected and stream is resetted.

It's the same as for previous commit "BUG/MEDIUM: h3: ensure the
":method" pseudo header is totally valid" except that this time it
applies to the ":scheme" pseudo header.

This must be backported up to 2.6.

(cherry picked from commit a3bed52d1f84ba36af66be4317a5f746d498bdf4)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
(cherry picked from commit 5ddc4004cb0c3c4ea4f4596577c85f004678e9c0)
[cf: adapted]
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
(cherry picked from commit 6748a47819c263d4631187b6f121b5344ab50d57)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>

src/h3.c

diff --git a/src/h3.c b/src/h3.c
index 0a9eae5..cc37263 100644
--- a/src/h3.c
+++ b/src/h3.c
@@ -599,6 +599,14 @@
 				len = -1;
 				goto out;
 			}
+
+			if (!http_validate_scheme(list[hdr_idx].v)) {
+				TRACE_ERROR("invalid scheme pseudo-header", H3_EV_RX_FRAME|H3_EV_RX_HDR, qcs->qcc->conn, qcs);
+				h3s->err = H3_MESSAGE_ERROR;
+				len = -1;
+				goto out;
+			}
+
 			scheme = list[hdr_idx].v;
 		}
 		else if (isteq(list[hdr_idx].n, ist(":authority"))) {