88 lines
4.2 KiB
Diff
88 lines
4.2 KiB
Diff
|
From 379a330ad8a56f6cf1031ff2cd3a093ead7e8585 Mon Sep 17 00:00:00 2001
|
||
|
From: Willy Tarreau <w@1wt.eu>
|
||
|
Date: Tue, 8 Aug 2023 19:35:25 +0200
|
||
|
Subject: DOC: clarify the handling of URL fragments in requests
|
||
|
|
||
|
We indicate in path/pathq/url that they may contain '#' if the frontend
|
||
|
is configured with "option accept-invalid-http-request", and that option
|
||
|
mentions the fragment as well.
|
||
|
|
||
|
(cherry picked from commit 7ab4949ef107a7088777f954de800fe8cf727796)
|
||
|
[ad: backported as a companion to BUG/MINOR: h1: do not accept '#' as
|
||
|
part of the URI component]
|
||
|
Signed-off-by: Amaury Denoyelle <adenoyelle@haproxy.com>
|
||
|
(cherry picked from commit 965fb74eb180ab4f275ef907e018128e7eee0e69)
|
||
|
Signed-off-by: Amaury Denoyelle <adenoyelle@haproxy.com>
|
||
|
(cherry picked from commit e9903d6073ce9ff0ed8b304700e9d2b435ed8050)
|
||
|
Signed-off-by: Amaury Denoyelle <adenoyelle@haproxy.com>
|
||
|
(cherry picked from commit c47814a58ec153a526e8e9e822cda6e66cef5cc2)
|
||
|
[wt: minor ctx adj]
|
||
|
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
||
|
(cherry picked from commit 3706e1754b925e56951b604cce63f3bb290ed838)
|
||
|
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
||
|
(cherry picked from commit b5062da485e78f4448a617a0f8b67dc5b23065d5)
|
||
|
[wt: dropped pathq]
|
||
|
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
||
|
(cherry picked from commit 1ee98d04314d35b694206195b8399c501776afc5)
|
||
|
[wt: allow to run with version 1.8]
|
||
|
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
||
|
---
|
||
|
doc/configuration.txt | 15 ++++++++++++---
|
||
|
reg-tests/http-rules/fragment_in_uri.vtc | 2 +-
|
||
|
2 files changed, 13 insertions(+), 4 deletions(-)
|
||
|
|
||
|
diff --git a/doc/configuration.txt b/doc/configuration.txt
|
||
|
index b30aaa9fb..c0607519a 100644
|
||
|
--- a/doc/configuration.txt
|
||
|
+++ b/doc/configuration.txt
|
||
|
@@ -5433,7 +5433,8 @@ no option accept-invalid-http-request
|
||
|
remaining ones are blocked by default unless this option is enabled. This
|
||
|
option also relaxes the test on the HTTP version, it allows HTTP/0.9 requests
|
||
|
to pass through (no version specified) and multiple digits for both the major
|
||
|
- and the minor version.
|
||
|
+ and the minor version. Finally, this option also allows incoming URLs to
|
||
|
+ contain fragment references ('#' after the path).
|
||
|
|
||
|
This option should never be enabled by default as it hides application bugs
|
||
|
and open security breaches. It should only be deployed after a problem has
|
||
|
@@ -15328,7 +15329,11 @@ path : string
|
||
|
information from databases and keep them in caches. Note that with outgoing
|
||
|
caches, it would be wiser to use "url" instead. With ACLs, it's typically
|
||
|
used to match exact file names (e.g. "/login.php"), or directory parts using
|
||
|
- the derivative forms. See also the "url" and "base" fetch methods.
|
||
|
+ the derivative forms. See also the "url" and "base" fetch methods. Please
|
||
|
+ note that any fragment reference in the URI ('#' after the path) is strictly
|
||
|
+ forbidden by the HTTP standard and will be rejected. However, if the frontend
|
||
|
+ receiving the request has "option accept-invalid-http-request", then this
|
||
|
+ fragment part will be accepted and will also appear in the path.
|
||
|
|
||
|
ACL derivatives :
|
||
|
path : exact string match
|
||
|
@@ -15502,7 +15507,11 @@ url : string
|
||
|
"path" is preferred over using "url", because clients may send a full URL as
|
||
|
is normally done with proxies. The only real use is to match "*" which does
|
||
|
not match in "path", and for which there is already a predefined ACL. See
|
||
|
- also "path" and "base".
|
||
|
+ also "path" and "base". Please note that any fragment reference in the URI
|
||
|
+ ('#' after the path) is strictly forbidden by the HTTP standard and will be
|
||
|
+ rejected. However, if the frontend receiving the request has "option
|
||
|
+ accept-invalid-http-request", then this fragment part will be accepted and
|
||
|
+ will also appear in the url.
|
||
|
|
||
|
ACL derivatives :
|
||
|
url : exact string match
|
||
|
diff --git a/reg-tests/http-rules/fragment_in_uri.vtc b/reg-tests/http-rules/fragment_in_uri.vtc
|
||
|
index 621751356..8de0adeb2 100644
|
||
|
--- a/reg-tests/http-rules/fragment_in_uri.vtc
|
||
|
+++ b/reg-tests/http-rules/fragment_in_uri.vtc
|
||
|
@@ -1,5 +1,5 @@
|
||
|
varnishtest "check for fragments in URL"
|
||
|
-#REQUIRE_VERSION=2.0
|
||
|
+#REQUIRE_VERSION=1.8
|
||
|
|
||
|
# This reg-test checks that '#' is properly blocked in requests
|
||
|
|
||
|
--
|
||
|
2.35.3
|
||
|
|