Gitiles
Code Review Sign In
git01.mediatek.com / haproxy / 6e6c7b128454314cca50a7deaaf44326ad2c0953
commit6e6c7b128454314cca50a7deaaf44326ad2c0953[log] [tgz]
authorChristopher Faulet <cfaulet@haproxy.com>Fri Jan 08 16:02:05 2021 +0100
committerChristopher Faulet <cfaulet@haproxy.com>Thu Jan 28 16:27:48 2021 +0100
treed95e1639cf66c8df367c56638423c1ac50c33f1d
parent576c358508ace18fea4ed9a08827045600697f49 [diff]
MEDIUM: http-ana: Refuse invalid 101-switching-protocols responses

A 101-switching-protocols response must contain a Connection header with the
Upgrade option. And this response must only be received from a server if the
client explicitly requested a protocol upgrade. Thus, the request must also
contain a Connection header with the Upgrade option. If not, a
502-bad-gateway response is returned to the client. This way, a tunnel is
only established if both sides are agree.

It is closer to what the RFC says, but it remains a bit flexible because
there is no check on the Upgrade header itself. However, that's probably
enough to ensure a tunnel is not established when not requested.

This one is not tagged as a bug. But it may be backported, at least to
2.3. It relies on :

  * MINOR: htx/http-ana: Save info about Upgrade option in the Connection header
1 file changed
tree: d95e1639cf66c8df367c56638423c1ac50c33f1d
  1. .github/
  2. contrib/
  3. doc/
  4. examples/
  5. include/
  6. reg-tests/
  7. scripts/
  8. src/
  9. tests/
  10. .cirrus.yml
  11. .gitattributes
  12. .gitignore
  13. .travis.yml
  14. BRANCHES
  15. CHANGELOG
  16. CONTRIBUTING
  17. INSTALL
  18. LICENSE
  19. MAINTAINERS
  20. Makefile
  21. README
  22. ROADMAP
  23. SUBVERS
  24. VERDATE
  25. VERSION