BUG/MINOR: h3: filter upgrade connection header
authorAmaury Denoyelle <adenoyelle@haproxy.com>
Wed, 16 Apr 2025 09:20:42 +0000 (11:20 +0200)
committerAurelien DARRAGON <adarragon@haproxy.com>
Thu, 17 Apr 2025 13:05:11 +0000 (15:05 +0200)
As specified in RFC 9114, connection headers required special care in
HTTP/3. When a request is received with connection headers, the stream
is immediately closed. Conversely, when translating the response from
HTX, such headers are not encoded but silently ignored.

However, "upgrade" was not listed in connection headers. This commit
fixes this by adding a check on it both on request parsing and response
encoding.

This must be backported up to 2.6.

(cherry picked from commit 6403bfbce8ea54ba83e23d34c5d52ff10fa7fe22)
Signed-off-by: Aurelien DARRAGON <adarragon@haproxy.com>
(cherry picked from commit 95749cdc2b7a90ba956e546b7c314e3a37dd971e)
Signed-off-by: Aurelien DARRAGON <adarragon@haproxy.com>

src/h3.c

index 9745611..0914898 100644 (file)
--- a/src/h3.c
+++ b/src/h3.c
@@ -839,6 +839,7 @@ static ssize_t h3_headers_to_htx(struct qcs *qcs, const struct buffer *buf,
                else if (isteq(list[hdr_idx].n, ist("connection")) ||
                         isteq(list[hdr_idx].n, ist("proxy-connection")) ||
                         isteq(list[hdr_idx].n, ist("keep-alive")) ||
+                        isteq(list[hdr_idx].n, ist("upgrade")) ||
                         isteq(list[hdr_idx].n, ist("transfer-encoding"))) {
                        /* RFC 9114 4.2. HTTP Fields
                         *
@@ -1058,6 +1059,7 @@ static ssize_t h3_trailers_to_htx(struct qcs *qcs, const struct buffer *buf,
                    isteq(list[hdr_idx].n, ist("connection")) ||
                    isteq(list[hdr_idx].n, ist("proxy-connection")) ||
                    isteq(list[hdr_idx].n, ist("keep-alive")) ||
+                   isteq(list[hdr_idx].n, ist("upgrade")) ||
                    isteq(list[hdr_idx].n, ist("te")) ||
                    isteq(list[hdr_idx].n, ist("transfer-encoding"))) {
                        TRACE_ERROR("forbidden HTTP/3 headers", H3_EV_RX_FRAME|H3_EV_RX_HDR, qcs->qcc->conn, qcs);
@@ -1703,6 +1705,7 @@ static int h3_resp_headers_send(struct qcs *qcs, struct htx *htx)
                if (isteq(list[hdr].n, ist("connection")) ||
                    isteq(list[hdr].n, ist("proxy-connection")) ||
                    isteq(list[hdr].n, ist("keep-alive")) ||
+                   isteq(list[hdr].n, ist("upgrade")) ||
                    isteq(list[hdr].n, ist("transfer-encoding"))) {
                        continue;
                }
@@ -1865,6 +1868,7 @@ static int h3_resp_trailers_send(struct qcs *qcs, struct htx *htx)
                    isteq(list[hdr].n, ist("connection")) ||
                    isteq(list[hdr].n, ist("proxy-connection")) ||
                    isteq(list[hdr].n, ist("keep-alive")) ||
+                   isteq(list[hdr].n, ist("upgrade")) ||
                    isteq(list[hdr].n, ist("te")) ||
                    isteq(list[hdr].n, ist("transfer-encoding"))) {
                        continue;