b9e34f70ce753179dd450b684f86cb565d4fc015 - haproxy

commit	b9e34f70ce753179dd450b684f86cb565d4fc015	[log] [tgz]
author	Amaury Denoyelle <adenoyelle@haproxy.com>	Fri Aug 13 09:43:24 2021 +0200
committer	Willy Tarreau <w@1wt.eu>	Tue Aug 17 10:46:33 2021 +0200
tree	65e05158300aacd47070b32138831c5b9e982c78
parent	b2318bc61f76123fae3567b27e89df53d418cede [diff]

REGTESTS: add a test to prevent h2 desync attacks

This test ensure that h2 pseudo headers are properly checked for invalid
characters and the host header is ignored if :authority is present. This
is necessary to prevent h2 desync attacks as described here
https://portswigger.net/research/http2

(cherry picked from commit 7ef244d73b073edf3d493ed826ca1b0233c330e0)
Signed-off-by: Willy Tarreau <w@1wt.eu>
(cherry picked from commit 39faba79f254dac92668f4852db4ef67a8421658)
Signed-off-by: Willy Tarreau <w@1wt.eu>
(cherry picked from commit 838b9bf022a12cf91d31d7bfb87797c6742a4923)
Signed-off-by: Willy Tarreau <w@1wt.eu>
(cherry picked from commit fafcab583d71cfd22b671dcb12aed7cf9e92c2a0)
[wt: adjusted for 2.0 (since most bugs/fixes not relevant there: uses
     redirects with received hosts instead of return 200; rxrst and
     400 replaced with check for 302 with valid original host for
     scheme and path attacks on URI; auth vs host dropped]
Signed-off-by: Willy Tarreau <w@1wt.eu>

reg-tests/http-messaging/h2_desync_attacks.vtc[Added - diff]

1 file changed

tree: 65e05158300aacd47070b32138831c5b9e982c78