You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@trafficserver.apache.org by bc...@apache.org on 2021/10/27 18:41:56 UTC
[trafficserver] branch 8.1.x updated: Add some checking to validate
the scheme matches the wire protocol. (#8464)
This is an automated email from the ASF dual-hosted git repository.
bcall pushed a commit to branch 8.1.x
in repository https://gitbox.apache.org/repos/asf/trafficserver.git
The following commit(s) were added to refs/heads/8.1.x by this push:
new feefc5e Add some checking to validate the scheme matches the wire protocol. (#8464)
feefc5e is described below
commit feefc5e4abc5011dfad5dcfef3f22998faf6e2d4
Author: Alan M. Carroll <am...@apache.org>
AuthorDate: Wed Oct 27 13:41:47 2021 -0500
Add some checking to validate the scheme matches the wire protocol. (#8464)
---
proxy/http/HttpSM.cc | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/proxy/http/HttpSM.cc b/proxy/http/HttpSM.cc
index f222714..791b625 100644
--- a/proxy/http/HttpSM.cc
+++ b/proxy/http/HttpSM.cc
@@ -732,6 +732,17 @@ HttpSM::state_read_client_request_header(int event, void *data)
case PARSE_RESULT_DONE:
SMDebug("http", "[%" PRId64 "] done parsing client request header", sm_id);
+ if (!is_internal) {
+ auto scheme = t_state.hdr_info.client_request.url_get()->scheme_get_wksidx();
+ if ((client_connection_is_ssl && (scheme == URL_WKSIDX_HTTP || scheme == URL_WKSIDX_WS)) ||
+ (!client_connection_is_ssl && (scheme == URL_WKSIDX_HTTPS || scheme == URL_WKSIDX_WSS))) {
+ SMDebug("http", "scheme [%s] vs. protocol [%s] mismatch", hdrtoken_index_to_wks(scheme),
+ client_connection_is_ssl ? "tls" : "plaintext");
+ t_state.http_return_code = HTTP_STATUS_BAD_REQUEST;
+ call_transact_and_set_next_state(HttpTransact::BadRequest);
+ break;
+ }
+ }
ua_txn->set_session_active();
if (t_state.hdr_info.client_request.version_get() == HTTPVersion(1, 1) &&