1 files changed, 71 insertions, 0 deletions

diff --git a/debian/patches/BUG-MINOR-h3-reject-more-chars-from-the-path-pseudo-.patch b/debian/patches/BUG-MINOR-h3-reject-more-chars-from-the-path-pseudo-.patch
new file mode 100644
index 0000000..cbc086c
--- /dev/null
+++ b/debian/patches/BUG-MINOR-h3-reject-more-chars-from-the-path-pseudo-.patch
@@ -0,0 +1,71 @@
+From: Willy Tarreau <w@1wt.eu>
+Date: Tue, 8 Aug 2023 17:54:26 +0200
+Subject: BUG/MINOR: h3: reject more chars from the :path pseudo header
+Origin: https://git.haproxy.org/?p=haproxy-2.6.git;a=commit;h=eacaa76e7b0e4182dfd17e1e7ca8c02c1cdab72c
+
+This is the h3 version of this previous fix:
+
+   BUG/MINOR: h2: reject more chars from the :path pseudo header
+
+In addition to the current NUL/CR/LF, this will also reject all other
+control chars, the space and '#' from the :path pseudo-header, to avoid
+taking the '#' for a part of the path. It's still possible to fall back
+to the previous behavior using "option accept-invalid-http-request".
+
+Here the :path header value is scanned a second time to look for
+forbidden chars because we don't know upfront if we're dealing with a
+path header field or another one. This is no big deal anyway for now.
+
+This should be progressively backported to 2.6, along with the
+following commits it relies on (the same as for h2):
+
+   REGTESTS: http-rules: add accept-invalid-http-request for normalize-uri tests
+   REORG: http: move has_forbidden_char() from h2.c to http.h
+   MINOR: ist: add new function ist_find_range() to find a character range
+   MINOR: http: add new function http_path_has_forbidden_char()
+
+(cherry picked from commit 2e97857a845540887a92029a566deb5b51f61d0b)
+Signed-off-by: Amaury Denoyelle <adenoyelle@haproxy.com>
+(cherry picked from commit 96dfea858edab8f1f63fa6e4df43f505b81fdad9)
+Signed-off-by: Amaury Denoyelle <adenoyelle@haproxy.com>
+(cherry picked from commit 97c15782afd9c70281ff0c72971485227494cc12)
+Signed-off-by: Amaury Denoyelle <adenoyelle@haproxy.com>
+---
+ src/h3.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+diff --git a/src/h3.c b/src/h3.c
+index b42d41647e4e..e519fb4432e7 100644
+--- a/src/h3.c
++++ b/src/h3.c
+@@ -402,6 +402,7 @@ static ssize_t h3_headers_to_htx(struct qcs *qcs, const struct buffer *buf,
+ 	int hdr_idx, ret;
+ 	int cookie = -1, last_cookie = -1, i;
+ 	const char *ctl;
++	int relaxed = !!(h3c->qcc->proxy->options2 & PR_O2_REQBUG_OK);
+ 
+ 	/* RFC 9114 4.1.2. Malformed Requests and Responses
+ 	 *
+@@ -500,6 +501,19 @@ static ssize_t h3_headers_to_htx(struct qcs *qcs, const struct buffer *buf,
+ 				len = -1;
+ 				goto out;
+ 			}
++
++			if (!relaxed) {
++				/* we need to reject any control chars or '#' from the path,
++				 * unless option accept-invalid-http-request is set.
++				 */
++				ctl = ist_find_range(list[hdr_idx].v, 0, '#');
++				if (unlikely(ctl) && http_path_has_forbidden_char(list[hdr_idx].v, ctl)) {
++					TRACE_ERROR("forbidden character in ':path' pseudo-header", H3_EV_RX_FRAME|H3_EV_RX_HDR, qcs->qcc->conn, qcs);
++					len = -1;
++					goto out;
++				}
++			}
++
+ 			path = list[hdr_idx].v;
+ 		}
+ 		else if (isteq(list[hdr_idx].n, ist(":scheme"))) {
+-- 
+2.43.0
+