76 lines
2.8 KiB
Diff
76 lines
2.8 KiB
Diff
From 22b44d5f2c7ce1ed0e4b62c639991d5abbd42a50 Mon Sep 17 00:00:00 2001
|
|
From: Amaury Denoyelle <adenoyelle@haproxy.com>
|
|
Date: Wed, 7 Dec 2022 14:31:42 +0100
|
|
Subject: [PATCH] BUG/MEDIUM: h3: reject request with invalid header name
|
|
|
|
Reject request containing invalid header name. This concerns every
|
|
header containing uppercase letter or a non HTTP token such as a space.
|
|
|
|
For the moment, this kind of errors triggers a connection close. In the
|
|
future, it should be handled only with a stream reset. To reduce
|
|
backport surface, this will be implemented in another commit.
|
|
|
|
Thanks to Yuki Mogi from FFRI Security, Inc. for having reported this.
|
|
|
|
This must be backported up to 2.6.
|
|
|
|
(cherry picked from commit d6fb7a0e0f3a79afa1f4b6fc7b62053c3955dc4a)
|
|
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
|
|
(cherry picked from commit 3ca4223c5e1f18a19dc93b0b09ffdbd295554d46)
|
|
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
|
|
---
|
|
src/h3.c | 30 +++++++++++++++++++++++++++++-
|
|
1 file changed, 29 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/src/h3.c b/src/h3.c
|
|
index 97e821e..5f1c68a 100644
|
|
--- a/src/h3.c
|
|
+++ b/src/h3.c
|
|
@@ -352,7 +352,27 @@ static ssize_t h3_headers_to_htx(struct qcs *qcs, const struct buffer *buf,
|
|
//struct ist scheme = IST_NULL, authority = IST_NULL;
|
|
struct ist authority = IST_NULL;
|
|
int hdr_idx, ret;
|
|
- int cookie = -1, last_cookie = -1;
|
|
+ int cookie = -1, last_cookie = -1, i;
|
|
+
|
|
+ /* RFC 9114 4.1.2. Malformed Requests and Responses
|
|
+ *
|
|
+ * A malformed request or response is one that is an otherwise valid
|
|
+ * sequence of frames but is invalid due to:
|
|
+ * - the presence of prohibited fields or pseudo-header fields,
|
|
+ * - the absence of mandatory pseudo-header fields,
|
|
+ * - invalid values for pseudo-header fields,
|
|
+ * - pseudo-header fields after fields,
|
|
+ * - an invalid sequence of HTTP messages,
|
|
+ * - the inclusion of uppercase field names, or
|
|
+ * - the inclusion of invalid characters in field names or values.
|
|
+ *
|
|
+ * [...]
|
|
+ *
|
|
+ * Intermediaries that process HTTP requests or responses (i.e., any
|
|
+ * intermediary not acting as a tunnel) MUST NOT forward a malformed
|
|
+ * request or response. Malformed requests or responses that are
|
|
+ * detected MUST be treated as a stream error of type H3_MESSAGE_ERROR.
|
|
+ */
|
|
|
|
TRACE_ENTER(H3_EV_RX_FRAME|H3_EV_RX_HDR, qcs->qcc->conn, qcs);
|
|
|
|
@@ -416,6 +436,14 @@ static ssize_t h3_headers_to_htx(struct qcs *qcs, const struct buffer *buf,
|
|
if (isteq(list[hdr_idx].n, ist("")))
|
|
break;
|
|
|
|
+ for (i = 0; i < list[hdr_idx].n.len; ++i) {
|
|
+ const char c = list[hdr_idx].n.ptr[i];
|
|
+ if ((uint8_t)(c - 'A') < 'Z' - 'A' || !HTTP_IS_TOKEN(c)) {
|
|
+ TRACE_ERROR("invalid characters in field name", H3_EV_RX_FRAME|H3_EV_RX_HDR, qcs->qcc->conn, qcs);
|
|
+ return -1;
|
|
+ }
|
|
+ }
|
|
+
|
|
if (isteq(list[hdr_idx].n, ist("cookie"))) {
|
|
http_cookie_register(list, hdr_idx, &cookie, &last_cookie);
|
|
continue;
|
|
--
|
|
1.7.10.4
|
|
|