From 9255e7e9713a03486f8fc4ac8deba47a9e621dfe Mon Sep 17 00:00:00 2001 From: Willy Tarreau Date: Tue, 5 Mar 2019 10:47:37 +0100 Subject: [PATCH] BUG/MEDIUM: h2/htx: verify that :path doesn't contain invalid chars MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit While the legacy code converts h2 to h1 and provides some control over what is passed, in htx mode there is no such control and it is possible to pass control chars and linear white spaces in the path, which are possibly reencoded differently once passed to the H1 side. HTX supports parse error reporting using a special flag. Let's check the correctness of the :path pseudo header and report any anomaly in the HTX flag. Thanks to Jérôme Magnin for reporting this bug with a working reproducer. This fix must be backported to 1.9 along with the two previous patches ("MINOR: htx: unconditionally handle parsing errors in requests or responses" and "MINOR: mux-h2: always pass HTX_FL_PARSING_ERROR between h2s and buf on RX"). --- src/h2.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/src/h2.c b/src/h2.c index a4578f468..9c02cd3c5 100644 --- a/src/h2.c +++ b/src/h2.c @@ -492,6 +492,7 @@ static struct htx_sl *h2_prepare_htx_reqline(uint32_t fields, struct ist *phdr, int uri_idx = H2_PHDR_IDX_PATH; unsigned int flags = HTX_SL_F_NONE; struct htx_sl *sl; + size_t i; if ((fields & H2_PHDR_FND_METH) && isteq(phdr[H2_PHDR_IDX_METH], ist("CONNECT"))) { /* RFC 7540 #8.2.6 regarding CONNECT: ":scheme" and ":path" @@ -538,6 +539,13 @@ static struct htx_sl *h2_prepare_htx_reqline(uint32_t fields, struct ist *phdr, if (!phdr[uri_idx].len) goto fail; + /* make sure :path doesn't contain LWS nor CTL characters */ + for (i = 0; i < phdr[uri_idx].len; i++) { + unsigned char c = phdr[uri_idx].ptr[i]; + if (HTTP_IS_LWS(c) || HTTP_IS_CTL(c)) + htx->flags |= HTX_FL_PARSING_ERROR; + } + /* Set HTX start-line flags */ flags |= HTX_SL_F_VER_11; // V2 in fact flags |= HTX_SL_F_XFER_LEN; // xfer len always known with H2