BUG/MEDIUM: h1: always reject the NUL character in header values
Ben Kallus kindly reported that we still hadn't blocked the NUL
character from header values as clarified in RFC9110 and that, even
though there's no known issure related to this, it may one day be
used to construct an attack involving another component.
Actually, both Christopher and I sincerely believed we had done it
prior to releasing 2.9, shame on us for missing that one and thanks
to Ben for the reminder!
The change was applied, it was confirmed to properly reject this NUL
byte from both header and trailer values, and it's still possible to
force it to continue to be supported using the usual pair of unsafe
"option accept-invalid-http-{request|response}" for those who would
like to keep it for whatever reason that wouldn't make sense.
This was tagged medium so that distros also remember to apply it as
a preventive measure.
It should progressively be backported to all versions down to 2.0.
(cherry picked from commit 0d76a284b6abe90b7001284a5953f8f445c30ebe)
Signed-off-by: Willy Tarreau <w@1wt.eu>
(cherry picked from commit 406bc7500df823c222134616900657145a5dfdc9)
Signed-off-by: Willy Tarreau <w@1wt.eu>
(cherry picked from commit 08ebf1962c0e75c45953b500d7e9a9ef29142f52)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
(cherry picked from commit 023dc662d533117c7e4bcccb1528afd9480f3ee9)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
(cherry picked from commit 95843b77a752e0c79a0d688c38d9ee05ab7ccbbe)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
1 file changed