Gitiles
Code Review Sign In
git01.mediatek.com / haproxy / 631c7e866522f8a11c9218ffed7a95d0d6b96b5e^! / . / src / mux_h1.c
commit631c7e866522f8a11c9218ffed7a95d0d6b96b5e[log] [tgz]
authorChristopher Faulet <cfaulet@haproxy.com>Mon Sep 27 09:47:03 2021 +0200
committerChristopher Faulet <cfaulet@haproxy.com>Tue Sep 28 16:21:25 2021 +0200
tree3189aedd3a40c7019a545fae40305b7d9cc0dbb3
parente136bd12a32970bc90d862d5fe09ea1952b62974 [diff] [blame]
MEDIUM: h1: Force close mode for invalid uses of T-E header

Transfer-Encoding header is not supported in HTTP/1.0. However, softwares
dealing with HTTP/1.0 and HTTP/1.1 messages may accept it and transfer
it. When a Content-Length header is also provided, it must be
ignored. Unfortunately, this may lead to vulnerabilities (request smuggling
or response splitting) if an intermediary is only implementing
HTTP/1.0. Because it may ignore Transfer-Encoding header and only handle
Content-Length one.

To avoid any security issues, when Transfer-Encoding and Content-Length
headers are found in a message, the close mode is forced. The same is
performed for HTTP/1.0 message with a Transfer-Encoding header only. This
change is conform to what it is described in the last HTTP/1.1 draft. See
also httpwg/http-core#879.

Note that Content-Length header is also removed from any incoming messages
if a Transfer-Encoding header is found. However it is not true (not yet) for
responses generated by HAProxy.

diff --git a/src/mux_h1.c b/src/mux_h1.c
index a391ab1..a627f19 100644
--- a/src/mux_h1.c
+++ b/src/mux_h1.c

@@ -1995,12 +1995,22 @@
 			  last_lf:
 				h1m->state = H1_MSG_LAST_LF;
 				if (!(h1s->flags & H1S_F_HAVE_O_CONN)) {
-					/* If the reply comes from haproxy while the request is
-					 * not finished, we force the connection close. */
 					if ((chn_htx->flags & HTX_FL_PROXY_RESP) && h1s->req.state != H1_MSG_DONE) {
+						/* If the reply comes from haproxy while the request is
+						 * not finished, we force the connection close. */
 						h1s->flags = (h1s->flags & ~H1S_F_WANT_MSK) | H1S_F_WANT_CLO;
 						TRACE_STATE("force close mode (resp)", H1_EV_TX_DATA|H1_EV_TX_HDRS, h1s->h1c->conn, h1s);
 					}
+					else if ((h1m->flags & (H1_MF_XFER_ENC|H1_MF_CLEN)) == (H1_MF_XFER_ENC|H1_MF_CLEN)) {
+						/* T-E + C-L: force close */
+						h1s->flags = (h1s->flags & ~H1S_F_WANT_MSK) | H1S_F_WANT_CLO;
+						TRACE_STATE("force close mode (T-E + C-L)", H1_EV_TX_DATA|H1_EV_TX_HDRS, h1s->h1c->conn, h1s);
+					}
+					else if ((h1m->flags & (H1_MF_VER_11|H1_MF_XFER_ENC)) == H1_MF_XFER_ENC) {
+						/* T-E + HTTP/1.0: force close */
+						h1s->flags = (h1s->flags & ~H1S_F_WANT_MSK) | H1S_F_WANT_CLO;
+						TRACE_STATE("force close mode (T-E + HTTP/1.0)", H1_EV_TX_DATA|H1_EV_TX_HDRS, h1s->h1c->conn, h1s);
+					}
 
 					/* the conn_mode must be processed. So do it */
 					n = ist("connection");