CVE-2021-38161

commit feefc5e4abc5011dfad5dcfef3f22998faf6e2d4
Author: Alan M. Carroll <amc@apache.org>
Date:   Wed Oct 27 13:41:47 2021 -0500

    Add some checking to validate the scheme matches the wire protocol. (#8464)

Gbp-Pq: Name 0020-CVE-2021-38161.patch

diff --git a/proxy/http/HttpSM.cc b/proxy/http/HttpSM.cc
index e9b35de9d9b5b141df02367edc0481b9bbd8087d..9435cb1a532fa98eb2c348316a3c5691b2bb73f3 100644 (file)
--- a/proxy/http/HttpSM.cc
+++ b/proxy/http/HttpSM.cc
@@ -443,6 +443,9 @@ HttpSM::attach_client_session(ProxyClientTransaction *client_vc, IOBufferReader
   // Collect log & stats information
   client_tcp_reused         = !(ua_txn->is_first_transaction());
   SSLNetVConnection *ssl_vc = dynamic_cast<SSLNetVConnection *>(netvc);
+
+  is_internal       = netvc->get_is_internal_request();
+
   if (ssl_vc != nullptr) {
     client_connection_is_ssl = true;
     client_ssl_reused        = ssl_vc->getSSLSessionCacheHit();
@@ -724,6 +727,17 @@ HttpSM::state_read_client_request_header(int event, void *data)
   case PARSE_RESULT_DONE:
     SMDebug("http", "[%" PRId64 "] done parsing client request header", sm_id);
 
+    if (!is_internal) {
+      auto scheme = t_state.hdr_info.client_request.url_get()->scheme_get_wksidx();
+      if ((client_connection_is_ssl && (scheme == URL_WKSIDX_HTTP || scheme == URL_WKSIDX_WS)) ||
+          (!client_connection_is_ssl && (scheme == URL_WKSIDX_HTTPS || scheme == URL_WKSIDX_WSS))) {
+        SMDebug("http", "scheme [%s] vs. protocol [%s] mismatch", hdrtoken_index_to_wks(scheme),
+                client_connection_is_ssl ? "tls" : "plaintext");
+        t_state.http_return_code = HTTP_STATUS_BAD_REQUEST;
+        call_transact_and_set_next_state(HttpTransact::BadRequest);
+        break;
+      }
+    }
     ua_txn->set_session_active();
 
     if (t_state.hdr_info.client_request.version_get() == HTTPVersion(1, 1) &&

diff --git a/proxy/http/HttpSM.h b/proxy/http/HttpSM.h
index 1f3ac23266d29f62fe8500a7d96e9fa62752199c..6026f4a6e5f60fd7e5d4442c1e60cb32a29fa61b 100644 (file)
--- a/proxy/http/HttpSM.h
+++ b/proxy/http/HttpSM.h
@@ -541,6 +541,7 @@ public:
   int64_t pushed_response_body_bytes = 0;
   bool client_tcp_reused             = false;
   // Info about client's SSL connection.
+  bool is_internal                = false;
   bool client_ssl_reused          = false;
   bool client_connection_is_ssl   = false;
   const char *client_protocol     = "-";