BUG/MINIR: h1: Fix doc of 'accept-unsafe-...-request' about URI parsing

The description of tests performed on the URI in H1 when
'accept-unsafe-violations-in-http-request' option is wrong. It states that
only characters below 32 and 127 are blocked when this option is set,
suggesting that otherwise, when it is not set, all invalid characters in the
URI, according to the RFC3986, are blocked.

But in fact, it is not true. By default all character below 32 and above 127
are blocked. And when 'accept-unsafe-violations-in-http-request' option is
set, characters above 127 (excluded) are accepted. But characters in
(33..126) are never checked, independently of this option.

This patch should fix the issue #2906. It should be backported as far as
3.0. For older versions, the docuementation could also be clarified because
this part is not really clear.

Note the request URI validation is still under discution because invalid
characters in (33.126) are never checked and some users request a stricter
parsing.

(cherry picked from commit b2f64af3413e623aff2f2413cbbef6ac27f44f21)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
(cherry picked from commit 3b01e537edd2b50c449ede6cb312caa45786ca35)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>
(cherry picked from commit eeb21041a1fab3022d905cfbfe9fad683c52b623)
Signed-off-by: Christopher Faulet <cfaulet@haproxy.com>

diff --git a/doc/configuration.txt b/doc/configuration.txt
index c794cb9..d9c654c 100644 (file)
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -8819,11 +8819,14 @@ no option accept-invalid-http-request
 
     * In H1 only, NULL character in header value will be accepted;
 
-    * The list of characters allowed to appear in a URI is well defined by
-      RFC3986, and chars 0-31, 32 (space), 34 ('"'), 60 ('<'), 62 ('>'), 92
-      ('\'), 94 ('^'), 96 ('`'), 123 ('{'), 124 ('|'), 125 ('}'), 127 (delete)
-      and anything above are normally not allowed. But here, in H1 only,
-      HAProxy will only block a number of them (0..32, 127);
+    * In H1 only, characters above 127 in the URI will be accepted. The list of
+      characters allowed to appear in a URI is well defined by RFC3986, and
+      chars 0-31, 32 (space), 34 ('"'), 60 ('<'), 62 ('>'), 92 ('\'), 94 ('^'),
+      96 ('`'), 123 ('{'), 124 ('|'), 125 ('}'), 127 (delete) and anything
+      above are normally not allowed. In H1, all character between (0..32) and
+      127 will always be blocked. All characters above 127 (excluded) will also
+      be blocked, except when this option is enabled. Other characters
+      (33..126) will not be checked at all.
 
     * In H1 and H2, URLs containing fragment references ('#' after the path)
       will be accepted;