From: Willy Tarreau Date: Wed, 26 Feb 2020 12:51:38 +0000 (+0100) Subject: BUG/MINOR: h2: reject again empty :path pseudo-headers X-Git-Tag: v2.1.4~74 X-Git-Url: http://git.haproxy.org/?a=commitdiff_plain;h=3f821294d81397ea2d5259d43fb2683b745c46af;p=haproxy-2.1.git BUG/MINOR: h2: reject again empty :path pseudo-headers Since commit 92919f7fd5 ("MEDIUM: h2: make the request parser rebuild a complete URI") we make sure to rebuild a complete URI. Unfortunately the test for an empty :path pseudo-header that is mandated by #8.1.2.3 appened to be performed on the URI before this patch, which is never empty anymore after being rebuilt, causing h2spec to complain : 8. HTTP Message Exchanges 8.1. HTTP Request/Response Exchange 8.1.2. HTTP Header Fields 8.1.2.3. Request Pseudo-Header Fields - 1: Sends a HEADERS frame with empty ":path" pseudo-header field -> The endpoint MUST respond with a stream error of type PROTOCOL_ERROR. Expected: GOAWAY Frame (Error Code: PROTOCOL_ERROR) RST_STREAM Frame (Error Code: PROTOCOL_ERROR) Connection closed Actual: DATA Frame (length:0, flags:0x01, stream_id:1) It's worth noting that this error doesn't trigger when calling h2spec with a timeout as some scripts do, which explains why it wasn't detected after the patch above. This fixes one half of issue #471 and should be backported to 2.1. (cherry picked from commit fd2658c0c6a275b497c92de2fc8513e458d0f169) Signed-off-by: Christopher Faulet --- diff --git a/src/h2.c b/src/h2.c index c5307d9..fa11868 100644 --- a/src/h2.c +++ b/src/h2.c @@ -239,6 +239,9 @@ static struct htx_sl *h2_prepare_htx_reqline(uint32_t fields, struct ist *phdr, * use the trash to concatenate them since all of them MUST fit * in a bufsize since it's where they come from. */ + if (unlikely(!phdr[H2_PHDR_IDX_PATH].len)) + goto fail; // 7540#8.1.2.3: :path must not be empty + uri = ist2bin(trash.area, phdr[H2_PHDR_IDX_SCHM]); istcat(&uri, ist("://"), trash.size); istcat(&uri, phdr[H2_PHDR_IDX_AUTH], trash.size);