Gitiles
Code Review Sign In
git01.mediatek.com / haproxy / e98411bd0171df79ec503e666bb8d893b8a18a26^! / . / src / http_fetch.c
commite98411bd0171df79ec503e666bb8d893b8a18a26[log] [tgz]
authorChristopher Faulet <cfaulet@haproxy.com>Mon Jul 15 13:58:29 2019 +0200
committerChristopher Faulet <cfaulet@haproxy.com>Fri Jul 19 09:55:37 2019 +0200
tree13a505f7faa83c10252364112f042df908dfa7ad
parentd9b35d9e063e389f4c1a715d62facceeaebd8a54 [diff] [blame]
BUG/MINOR: http_fetch: Fix http_auth/http_auth_group when called from TCP rules

These sample fetches rely on the static fnuction get_http_auth(). For HTX
streams and TCP proxies, this last one gets its HTX message from the request's
channel. When called from an HTTP rule, There is no problem. Bu when called from
TCP rules for a TCP proxy, this buffer is a raw buffer not an HTX message. For
instance, using the following TCP rule leads to a crash :

  tcp-request content accept if { http_auth(Users) }

To fix the bug, we must rely on the HTX message returned by the function
smp_prefetch_htx(). So now, the HTX message is passed as argument to the
function get_http_auth().

This patch must be backported to 2.0 and 1.9.

(cherry picked from commit cd7619506173562eea92abde034eb44dce23d53b)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>

diff --git a/src/http_fetch.c b/src/http_fetch.c
index 858e72e..67ea209 100644
--- a/src/http_fetch.c
+++ b/src/http_fetch.c

@@ -59,7 +59,7 @@
  * have the credentials overwritten by another stream in parallel.
  */
 
-static int get_http_auth(struct sample *smp)
+static int get_http_auth(struct sample *smp, struct htx *htx)
 {
 	struct stream *s = smp->strm;
 	struct http_txn *txn = s->txn;
@@ -75,9 +75,8 @@
 
 	txn->auth.method = HTTP_AUTH_WRONG;
 
-	if (IS_HTX_STRM(s) || (smp->px->mode == PR_MODE_TCP)) {
+	if (htx) {
 		/* HTX version */
-		struct htx *htx = htxbuf(&s->req.buf);
 		struct http_hdr_ctx ctx = { .blk = NULL };
 		struct ist hdr;
 
@@ -1918,14 +1917,16 @@
 
 		if (!htx)
 			return 0;
+		if (!get_http_auth(smp, htx))
+			return 0;
 	}
 	else {
 		/* LEGACY version */
 		CHECK_HTTP_MESSAGE_FIRST(chn);
+		if (!get_http_auth(smp, NULL))
+			return 0;
 	}
 
-	if (!get_http_auth(smp))
-		return 0;
 	smp->data.type = SMP_T_BOOL;
 	smp->data.u.sint = check_user(args->data.usr, smp->strm->txn->auth.user,
 				      smp->strm->txn->auth.pass);
@@ -1946,15 +1947,16 @@
 
 		if (!htx)
 			return 0;
+		if (!get_http_auth(smp, htx))
+			return 0;
 	}
 	else {
 		/* LEGACY version */
 		CHECK_HTTP_MESSAGE_FIRST(chn);
+		if (!get_http_auth(smp, NULL))
+			return 0;
 	}
 
-	if (!get_http_auth(smp))
-		return 0;
-
 	/* if the user does not belong to the userlist or has a wrong password,
 	 * report that it unconditionally does not match. Otherwise we return
 	 * a string containing the username.