haproxy/CVE-2023-45539-doc-clarify-URL-fragment-handling.patch
2024-09-24 12:04:59 -05:00

88 lines
4.2 KiB
Diff

From 379a330ad8a56f6cf1031ff2cd3a093ead7e8585 Mon Sep 17 00:00:00 2001
From: Willy Tarreau <w@1wt.eu>
Date: Tue, 8 Aug 2023 19:35:25 +0200
Subject: DOC: clarify the handling of URL fragments in requests
We indicate in path/pathq/url that they may contain '#' if the frontend
is configured with "option accept-invalid-http-request", and that option
mentions the fragment as well.
(cherry picked from commit 7ab4949ef107a7088777f954de800fe8cf727796)
[ad: backported as a companion to BUG/MINOR: h1: do not accept '#' as
part of the URI component]
Signed-off-by: Amaury Denoyelle <adenoyelle@haproxy.com>
(cherry picked from commit 965fb74eb180ab4f275ef907e018128e7eee0e69)
Signed-off-by: Amaury Denoyelle <adenoyelle@haproxy.com>
(cherry picked from commit e9903d6073ce9ff0ed8b304700e9d2b435ed8050)
Signed-off-by: Amaury Denoyelle <adenoyelle@haproxy.com>
(cherry picked from commit c47814a58ec153a526e8e9e822cda6e66cef5cc2)
[wt: minor ctx adj]
Signed-off-by: Willy Tarreau <w@1wt.eu>
(cherry picked from commit 3706e1754b925e56951b604cce63f3bb290ed838)
Signed-off-by: Willy Tarreau <w@1wt.eu>
(cherry picked from commit b5062da485e78f4448a617a0f8b67dc5b23065d5)
[wt: dropped pathq]
Signed-off-by: Willy Tarreau <w@1wt.eu>
(cherry picked from commit 1ee98d04314d35b694206195b8399c501776afc5)
[wt: allow to run with version 1.8]
Signed-off-by: Willy Tarreau <w@1wt.eu>
---
doc/configuration.txt | 15 ++++++++++++---
reg-tests/http-rules/fragment_in_uri.vtc | 2 +-
2 files changed, 13 insertions(+), 4 deletions(-)
diff --git a/doc/configuration.txt b/doc/configuration.txt
index b30aaa9fb..c0607519a 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -5433,7 +5433,8 @@ no option accept-invalid-http-request
remaining ones are blocked by default unless this option is enabled. This
option also relaxes the test on the HTTP version, it allows HTTP/0.9 requests
to pass through (no version specified) and multiple digits for both the major
- and the minor version.
+ and the minor version. Finally, this option also allows incoming URLs to
+ contain fragment references ('#' after the path).
This option should never be enabled by default as it hides application bugs
and open security breaches. It should only be deployed after a problem has
@@ -15328,7 +15329,11 @@ path : string
information from databases and keep them in caches. Note that with outgoing
caches, it would be wiser to use "url" instead. With ACLs, it's typically
used to match exact file names (e.g. "/login.php"), or directory parts using
- the derivative forms. See also the "url" and "base" fetch methods.
+ the derivative forms. See also the "url" and "base" fetch methods. Please
+ note that any fragment reference in the URI ('#' after the path) is strictly
+ forbidden by the HTTP standard and will be rejected. However, if the frontend
+ receiving the request has "option accept-invalid-http-request", then this
+ fragment part will be accepted and will also appear in the path.
ACL derivatives :
path : exact string match
@@ -15502,7 +15507,11 @@ url : string
"path" is preferred over using "url", because clients may send a full URL as
is normally done with proxies. The only real use is to match "*" which does
not match in "path", and for which there is already a predefined ACL. See
- also "path" and "base".
+ also "path" and "base". Please note that any fragment reference in the URI
+ ('#' after the path) is strictly forbidden by the HTTP standard and will be
+ rejected. However, if the frontend receiving the request has "option
+ accept-invalid-http-request", then this fragment part will be accepted and
+ will also appear in the url.
ACL derivatives :
url : exact string match
diff --git a/reg-tests/http-rules/fragment_in_uri.vtc b/reg-tests/http-rules/fragment_in_uri.vtc
index 621751356..8de0adeb2 100644
--- a/reg-tests/http-rules/fragment_in_uri.vtc
+++ b/reg-tests/http-rules/fragment_in_uri.vtc
@@ -1,5 +1,5 @@
varnishtest "check for fragments in URL"
-#REQUIRE_VERSION=2.0
+#REQUIRE_VERSION=1.8
# This reg-test checks that '#' is properly blocked in requests
--
2.35.3