BUG/MEDIUM: h1: Don't support LF only to mark the end of a chunk size
It is similar to the previous fix but for the chunk size parsing. But this
one is more annoying because a poorly coded application in front of haproxy
may ignore the last digit before the LF thinking it should be a CR. In this
case it may be out of sync with HAProxy and that could be exploited to
perform some sort or request smuggling attack.
While it seems unlikely, it is safer to forbid LF with CR at the end of a
chunk size.
This patch must be backported to 2.9 and probably to all stable versions
because there is no reason to still support LF without CR in this case.
(cherry picked from commit 4837e998920cbd4e43026e0a638b8ebd71c8018f)
Signed-off-by: Willy Tarreau <w@1wt.eu>
(cherry picked from commit e6dc7670438f1cf87b7f16fc78365e130ecba295)
Signed-off-by: Willy Tarreau <w@1wt.eu>
(cherry picked from commit a73e00a1f7164d5dbb276232c8d3c838d921da89)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
(cherry picked from commit bb2f1c00f78614b6469c6bd65fc0e33f66ab42b2)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
(cherry picked from commit f2597d525ebe0898e2b9e3656d57fb19ebfcddfe)
[cf: Only h1_parse_chunk_size() had to be fixed]
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
1 file changed