You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@trafficserver.apache.org by bc...@apache.org on 2021/10/27 20:53:33 UTC
[trafficserver] 04/04: Add some checking to validate the scheme
matches the wire protocol. (#8465)
This is an automated email from the ASF dual-hosted git repository.
bcall pushed a commit to branch 9.1.x
in repository https://gitbox.apache.org/repos/asf/trafficserver.git
commit d6462761f284634e482a95974002ed271b0efa1b
Author: Alan M. Carroll <am...@apache.org>
AuthorDate: Wed Oct 27 13:41:34 2021 -0500
Add some checking to validate the scheme matches the wire protocol. (#8465)
(cherry picked from commit 92849ce8e99155c914aea4b82ed63e10e428bee1)
Conflicts:
proxy/http/HttpSM.cc
---
proxy/http/HttpSM.cc | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/proxy/http/HttpSM.cc b/proxy/http/HttpSM.cc
index 0416edc..2cf3e6a 100644
--- a/proxy/http/HttpSM.cc
+++ b/proxy/http/HttpSM.cc
@@ -863,6 +863,18 @@ HttpSM::state_read_client_request_header(int event, void *data)
break;
}
+ if (!is_internal) {
+ auto scheme = t_state.hdr_info.client_request.url_get()->scheme_get_wksidx();
+ if ((client_connection_is_ssl && (scheme == URL_WKSIDX_HTTP || scheme == URL_WKSIDX_WS)) ||
+ (!client_connection_is_ssl && (scheme == URL_WKSIDX_HTTPS || scheme == URL_WKSIDX_WSS))) {
+ SMDebug("http", "scheme [%s] vs. protocol [%s] mismatch", hdrtoken_index_to_wks(scheme),
+ client_connection_is_ssl ? "tls" : "plaintext");
+ t_state.http_return_code = HTTP_STATUS_BAD_REQUEST;
+ call_transact_and_set_next_state(HttpTransact::BadRequest);
+ break;
+ }
+ }
+
if (_from_early_data) {
// Only allow early data for safe methods defined in RFC7231 Section 4.2.1.
// https://tools.ietf.org/html/rfc7231#section-4.2.1