mirror of
https://github.com/haproxy/haproxy.git
synced 2026-05-25 10:42:14 -04:00
0657621669
Originally with "option accept-invalid-http-request", we couldn't really edit the request on the fly to remove offending headers. But since we have HTX and the headers are indexed one at a time, it has become trivial. A non-negligible number of violations are conditioned by the now renamed "option accept-unsafe-violations-in-http-request", and a controversial one could definitely be reporting and passing invalid header names containing control chars or spaces. The option was placed so as not to block requests/responses containing them, but there's no point in passing them to the other side. Most of the time it will be totally harmless since the other side will reject them. But in case haproxy is placed in front of a non-compliant server, it would fail to protect it. This patch implements a name check for all headers when a parsing error was detected. It's cheap enough (especially since only done after an error), and will skip the header if its name is invalid. This may also remove some possibilities of confusion in logs, or when encoding headers names for example. This should be backported at least till the last LTS. |
||
|---|---|---|
| .. | ||
| design-thoughts | ||
| internals | ||
| lua-api | ||
| 51Degrees-device-detection.txt | ||
| acl.fig | ||
| coding-style.txt | ||
| configuration.txt | ||
| cookie-options.txt | ||
| DeviceAtlas-device-detection.txt | ||
| gpl.txt | ||
| haproxy.1 | ||
| HAProxyCommunityEdition_60px.png | ||
| haterm.txt | ||
| intro.txt | ||
| lgpl.txt | ||
| linux-syn-cookies.txt | ||
| lua.txt | ||
| management.txt | ||
| netscaler-client-ip-insertion-protocol.txt | ||
| network-namespaces.txt | ||
| peers-v2.0.txt | ||
| peers.txt | ||
| proxy-protocol.txt | ||
| queuing.fig | ||
| regression-testing.txt | ||
| seamless_reload.txt | ||
| SOCKS4.protocol.txt | ||
| SPOE.txt | ||
| WURFL-device-detection.txt | ||
