Repositories - haproxy-2.1.git/commit

author	Christopher Faulet <cfaulet@haproxy.com>
	Fri, 14 Feb 2020 13:47:37 +0000 (14:47 +0100)
committer	Christopher Faulet <cfaulet@haproxy.com>
	Fri, 21 Feb 2020 10:20:01 +0000 (11:20 +0100)
commit	de2554c62edf661e509d31d26545e90b9ada936b
tree	54bb2ef383c6a46266f304454bd9f183a45b698f	tree \| snapshot
parent	cf44aa6efa0e23444b287fdfb73d96ecdfc52135	commit \| diff

BUG/MINOR: mux-fcgi: Forbid special characters when matching PATH_INFO param

If a regex to match the PATH_INFO parameter is configured, it systematically
fails if a newline or a null character is present in the URL-decoded path. So,
from the moment there is at least a "%0a" or a "%00" in the request path, we
always fail to get the PATH_INFO parameter and all the decoded path is used for
the SCRIPT_NAME parameter.

It is probably not the expected behavior. Because, most of time, these
characters are not expected at all in a path, an error is now triggered when one
of these characters is found in the URL-decoded path before trying to execute
the path_info regex. However, this test is not performed if there is no regex
configured.

Note that in reality, the newline character is only a problem when HAProxy is
complied with pcre or pcre2 library and conversely, the null character is only a
problem for the libc's regex library. But both are always excluded to avoid any
inconsistency depending on compile options.

An alternative, not implemented yet, is to replace these characters by another
one. If someone complains about this behavior, it will be re-evaluated.

This patch must be backported to all versions supporting the FastCGI
applications, so to 2.1 for now.

(cherry picked from commit 28cb36613b29875daf164e9e267a870122aaac76)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>

doc/configuration.txt		diff \| blob \| history
src/mux_fcgi.c		diff \| blob \| history