BUG/MINOR: h3: reject request URI with invalid characters
authorAmaury Denoyelle <adenoyelle@haproxy.com>
Wed, 16 Apr 2025 13:27:03 +0000 (15:27 +0200)
committerAurelien DARRAGON <adarragon@haproxy.com>
Thu, 17 Apr 2025 13:05:26 +0000 (15:05 +0200)
Ensure that the HTX start-line generated after parsing an HTTP/3 request
does not contain any invalid character, i.e. control or whitespace
characters.

Note that for now path is used directly as URI. Thus, the check is
performed directly over it. A patch will change this to generate an
absolute-form URI in most cases, but it won't be backported to avoid
configuration breaking in stable versions.

This must be backported up to 2.6.

(cherry picked from commit 1faa1285aacaaacd2c2e062d87f04aa481843862)
Signed-off-by: Aurelien DARRAGON <adarragon@haproxy.com>
(cherry picked from commit 3c1914822d9b98f244c3e603c050a19cc29eed36)
Signed-off-by: Aurelien DARRAGON <adarragon@haproxy.com>

src/h3.c

index c0c5f44..fe06d2e 100644 (file)
--- a/src/h3.c
+++ b/src/h3.c
@@ -752,6 +752,18 @@ static ssize_t h3_headers_to_htx(struct qcs *qcs, const struct buffer *buf,
                goto out;
        }
 
+       /* Ensure that final URI does not contains LWS nor CTL characters. */
+       for (i = 0; i < path.len; i++) {
+               unsigned char c = istptr(path)[i];
+               if (HTTP_IS_LWS(c) || HTTP_IS_CTL(c)) {
+                       TRACE_ERROR("invalid character in path", H3_EV_RX_FRAME|H3_EV_RX_HDR, qcs->qcc->conn, qcs);
+                       h3s->err = H3_ERR_MESSAGE_ERROR;
+                       qcc_report_glitch(h3c->qcc, 1);
+                       len = -1;
+                       goto out;
+               }
+       }
+
        sl = htx_add_stline(htx, HTX_BLK_REQ_SL, flags, meth, path, ist("HTTP/3.0"));
        if (!sl) {
                len = -1;